Joshua Oania

Reflection Paper 3

Date: 4/12/26

ODU Spring 2026

Earth Viability Center

Professor Teresa Duvall/TA Joshua Russell

Internship Reflection Paper

The last 50 hours of my internship were spent conducting a code review of the Place4Us platform’s input validation capabilities.  Place4Us has many input entry points, from commenting on a post to uploading files to the platform.  That said, there are 2 PHP functions in particular that validate user input: functions.php and special_functions.php.  

The functions.php file has three functions: looks for input that resembles code (function cleanText($string)), replaces that input with a random set of strings (function cleanTextB($string)), and then automatically blocks the user and logs them out (function blockCurrentUser()).  The special_functions.php file, on the other hand, checks uploaded files (function checkUploadedFile()).  It checks whether the uploaded file’s extension is allowed and whether its MIME type matches the extension, and if it doesn’t, the user is unable to upload the file.  Basically, the file extension tells people what the contents of a file are.  Essentially, the label on a box.  The MIME value, on the other hand, is the contents inside the box.  It is important that the file extension matches the MIME value, because a file pretending to be something else could be potentially malicious.  For instance, an attacker can disguise an executable file as a PDF.

Analyzing the two files, I found several issues.  One of those issues is the list of allowed MIME values.  Three in particular were of big concern: .xls, .swf, and .zip.  The first extension, xls, is the old Excel file type.  Excel files (especially older versions) are a major concern because they contain macros, which are embedded scripts that serve a purpose.  So, for example, in Excel, macros would allow a user to create graphs (among other functions, of course).  However, attackers can manipulate those scripts to perform malicious actions.  The second extension, .swf, is the format for Adobe Flash Player (which has long been deprecated due to a long, extensive history of security bugs and exploits).  Lastly, a .zip file is basically a folder compressed into a single file.  Zip files can be concerning because it’s difficult to verify what is inside unless they’re opened, posing a significant security risk.

Another issue I found was that each file extension had only one MIME type associated with it, whereas it is entirely possible that each extension could have multiple values.  For example, Zip files can have both the “application/zip” and “application/x-zip-compressed” MIME types, depending on the system (Windows, Linux, browsers, libraries).

The biggest challenge I had these last 50 hours was reading through the two files.  Although I have prior coding experience, PHP is relatively new to me, so reading through each file was a bit of a struggle.  A lot of self-study was done to understand what I was reading while conducting my code review.  Another challenge I had was trying to narrow down which file types should be acceptable on the platform, which ultimately boiled down to understanding the platform’s core premise and gathering user feedback on which files they find most acceptable to upload.