Page 1 of 1
determine filetype.
Posted: Sun Jun 18, 2006 4:16 pm
by jmut
Hi
How could I truly detrmine filetype...
For example I would use getimagesize on tmp_name file...when someon uploads a file....and determine if picture and if so ...what type.
How about .doc .xls etc.
I cannot rely on extensions to determin file type. How should it be done.
Posted: Sun Jun 18, 2006 4:38 pm
by printf
It's always a guessing game, no matter what you, because most functions read the header content for binary types, which always anyone to copy a PDF file header and the closing binary line and put whatever they want in between. Now I used PDF as example but it could be any type. PHP once used magic_mime but now has switched to
Fileinfo, it gives pretty good information about the file, but it still can be tricked!
Now, let me talk about the extension type checks vs the file validation. An extension test is just as good as a file validation test, because you select what files are allowed to be uploaded. So common sense, says if you allow a EXE file, then you need to set the directory to not execute EXE files. So why use file validation and risk it getting it wrong, when the system has options to give you full control of protecting it's self!
pif!
Posted: Mon Jun 19, 2006 2:20 am
by jmut
printf wrote:It's always a guessing game, no matter what you, because most functions read the header content for binary types, which always anyone to copy a PDF file header and the closing binary line and put whatever they want in between. Now I used PDF as example but it could be any type. PHP once used magic_mime but now has switched to
Fileinfo, it gives pretty good information about the file, but it still can be tricked!
Now, let me talk about the extension type checks vs the file validation. An extension test is just as good as a file validation test, because you select what files are allowed to be uploaded. So common sense, says if you allow a EXE file, then you need to set the directory to not execute EXE files. So why use file validation and risk it getting it wrong, when the system has options to give you full control of protecting it's self!
pif!
interesting. So you are saying just like letting apache parse only .php files.....on this bases validate/allow/deny other file types .xls, .doc etc.
Haven't thought about moving the validation in this level. Well....I thought there is realiable header identification...I guess wrong

Thank you for your comment.
Happy coding