determine filetype.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

determine filetype.

Post by jmut »

Hi
How could I truly detrmine filetype...
For example I would use getimagesize on tmp_name file...when someon uploads a file....and determine if picture and if so ...what type.
How about .doc .xls etc.
I cannot rely on extensions to determin file type. How should it be done.
printf
Forum Contributor
Posts: 173
Joined: Wed Jan 12, 2005 5:24 pm

Post by printf »

It's always a guessing game, no matter what you, because most functions read the header content for binary types, which always anyone to copy a PDF file header and the closing binary line and put whatever they want in between. Now I used PDF as example but it could be any type. PHP once used magic_mime but now has switched to Fileinfo, it gives pretty good information about the file, but it still can be tricked!

Now, let me talk about the extension type checks vs the file validation. An extension test is just as good as a file validation test, because you select what files are allowed to be uploaded. So common sense, says if you allow a EXE file, then you need to set the directory to not execute EXE files. So why use file validation and risk it getting it wrong, when the system has options to give you full control of protecting it's self!


pif!
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

printf wrote:It's always a guessing game, no matter what you, because most functions read the header content for binary types, which always anyone to copy a PDF file header and the closing binary line and put whatever they want in between. Now I used PDF as example but it could be any type. PHP once used magic_mime but now has switched to Fileinfo, it gives pretty good information about the file, but it still can be tricked!

Now, let me talk about the extension type checks vs the file validation. An extension test is just as good as a file validation test, because you select what files are allowed to be uploaded. So common sense, says if you allow a EXE file, then you need to set the directory to not execute EXE files. So why use file validation and risk it getting it wrong, when the system has options to give you full control of protecting it's self!


pif!
interesting. So you are saying just like letting apache parse only .php files.....on this bases validate/allow/deny other file types .xls, .doc etc.
Haven't thought about moving the validation in this level. Well....I thought there is realiable header identification...I guess wrong :)
Thank you for your comment.
Happy coding
Post Reply