This may seem like a stupid question but I want to check before I go
ahead and build this...
I am working on a portal, part of which allows users to upload files.
Part of the array within $_FILES superglobal gives the mime type for the
file. Is this 100% reliable / accurate? If the mime type says the file
type is jpeg is it always right? Two reasons I want to know:
1. Certain types of files mustn't be uploaded, .exe files for example.
2. It is unsafe to rely on file extentions, not least because this
portal will be exposed to Linux.
If the mime type is not reliable what techniques are available to
discover the type of a file?
Many thanks.
5  3002 
splodge wrote:
I am working on a portal, part of which allows users to upload files.
Part of the array within $_FILES superglobal gives the mime type for the
file. Is this 100% reliable / accurate? If the mime type says the file
type is jpeg is it always right?
It depends on your definition of "right"... If I understand correctly,
MIME type is determined based on the file's extension.
Cheers,
NC
splodge wrote:
I am working on a portal, part of which allows users to upload files.
Part of the array within $_FILES superglobal gives the mime type for the
file. Is this 100% reliable / accurate? If the mime type says the file
type is jpeg is it always right? Two reasons I want to know:
IIRC it relies on the information supplied by the client (if any). When I
had the same problem, rather than try to verify it was a jpg, I just
converted it to a GD file then back to a jpeg.
C.
NC wrote: splodge wrote:
I am working on a portal, part of which allows users to upload files.
Part of the array within $_FILES superglobal gives the mime type for the
file. Is this 100% reliable / accurate? If the mime type says the file
type is jpeg is it always right?
It depends on your definition of "right"... If I understand correctly,
MIME type is determined based on the file's extension.
Cheers,
NC
Thank you for the reply. So, what would happen if i took a file named
photo.jpg and changed its name to:
1. photo.xyz
2. photo.gif
Different types of files will require different types of processing so
it is very important that I can work out what the file type is.
On Mon, 30 Jan 2006 21:05:38 +0000, splodge <sp*****@blurry fox.com> wrote: I am working on a portal, part of which allows users to upload files.
Part of the array within $_FILES superglobal gives the mime type for the
file. Is this 100% reliable / accurate?
It is user-supplied data, so is not trustworthy.
If the mime type says the file type is jpeg is it always right?
No.
Two reasons I want to know:
1. Certain types of files mustn't be uploaded, .exe files for example.
2. It is unsafe to rely on file extentions, not least because this
portal will be exposed to Linux.
If the mime type is not reliable what techniques are available to
discover the type of a file?
There is no reliable way to find the "type" of a file because files don't have
types as such; the data could be consistent with being a certain format of
data, but it ultimately depends what program you feed it into.
There's functions that use heuristics to make a decent guess as to the format
of the data, using "magic numbers" - looking for certain known patterns of
bytes corresponding to headers etc. http://uk2.php.net/manual/en/ref.mime-magic.php
How it's supposed to work is that it doesn't matter what the data is, but
provided you send it _out_ with an appropriate Content-type then nothing bad
should happen. Unfortunately Internet Explorer has a "I think I know better"
mode where it guesses MIME types for downloaded files under various
circumstances, even if you've explicitly stated what type it is, potentially
resulting in them opening up in inappropriate applications.
See: http://ppewww.ph.gla.ac.uk/~flavell/...tent-type.html , and then
prepare to lose hair if you want to do apparently simple things like serve up
HTML source code as text/plain.
--
Andy Hassall :: an**@andyh.co.u k :: http://www.andyh.co.uk http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
"NC" <nc@iname.com > wrote in message
news:11******** **************@ g47g2000cwa.goo glegroups.com.. . splodge wrote:
I am working on a portal, part of which allows users to upload files.
Part of the array within $_FILES superglobal gives the mime type for the
file. Is this 100% reliable / accurate? If the mime type says the file
type is jpeg is it always right?
It depends on your definition of "right"... If I understand correctly,
MIME type is determined based on the file's extension.
Nope - PHP uses the MIME Magic library to determine the mime type of a file
based on the position of key bytes within the file:
http://uk2.php.net/mime_magic
So you could call an .exe .txt, and it would be picked up as an executable.
Cheers,
NC This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: bissatch |
last post by:
Hi,
I am trying to write script that is run when a form is submitted. The
form contains an image input field and when submitted, the image is
uploaded, resized and added as binary information to a db table. Please
note, I am using a PostgreSQL database
I have written all the code out below that deals with the submission
processing:
|
by: Super Mango |
last post by:
Hi -
Is it possible to change the status of a variable to superglobal so
it'll be valid inside functions without declaring it with "global"
inside each function?
Thanks -
|
by: ktsirig |
last post by:
Hi all!
I have a question: I am constructing a form where the user can upload a file.
I need however to verify that the file uploaded is a TEXT file.
Is $_FILE what I need? I am asking this because no matter if I upload a .txt or a .gif file, PHP says they are both $_FILE='text' and so, they are both uploaded on the server, whereas there should be only .txt file uploaded and not the .gif file.
In general, how can I allow only text...
|
by: clevariant |
last post by:
Hello,
I'm tasked with creating a WSDL file that is compatible with .NET's
code gen' tool, wsdl.exe. I'm getting an error in the code output
saying "Missing soap:body input binding", which seems to indicate it
can't find the <soap:body> element where it's looking for it.
We are using the extension <mime:multipartRelated> to define
some SOAP attachements in our interface, and the <soap:body>
element is inside a subelement of that (per...
|
by: José Joye |
last post by:
hello,
I have to communicate with a web Service for which I received the WSDL below.
When trying to generate the client proxy, it gives me the error (see below).
After investigation, I have seen that the error is related to the ouput
parameter.
To my understanding this could be related to the MIME tag. However, I'm by
far not a WSDL expert.
| | |
by: Michael Rassinger |
last post by:
Hi!
I am facing the following problem:
I have a PHP-script on page A that receives a file from an HTML-form. I
need to immediately forward this file to another page B.
On page A currently I forward the user (under certain circumstances) to
page B using
header ("location: page_b.php");
|
by: Mad Hatter |
last post by:
Hi folks
I'm a bit confused with an upload script that I've written. I want to be
able to check the file type of an upload by checking the mime type but I'm
not getting the results that I thought I should. According to what I've
read .zip files should return something like 'application/zip' or
'application/x-zip-compressed', RAR should return
'application/x-rar-compressed' but both return 'application/octet-stream'.
I'm getting the...
|
by: underground |
last post by:
I have a script that I have modified to upload image to mysql but I am concerned about the security risk envovled with allowing user to upload files to a mysql..
I've been trying to modify the php to include validation for a jpg and gif but to not avail could someone point me in the direction I need to move with a visual sample
Thank's as all way!
if(isset($_POST) && $_FILES> 0)
{
$fileName = $_FILES;
$tmpName = $_FILES;
|
by: tinman77 |
last post by:
Hello,
I'm having a terrible time using the functions finfo_open and
finfo_file. I'm using PHP 5 on IIS 5.1 and Windows XP. I have enabled
php_mime_magic.dll and php_fileinfo.dll and also added the lines
mime_magic.debug = Off and
mime_magic.magicfile = "C:\Program Files\PHP\extras\magic.mime".
Now my phpinfo() says fileinfo support is enabled and mime_magic
support is enabled. However, I keep getting this error:
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
