By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,843 Members | 864 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,843 IT Pros & Developers. It's quick & easy.

How reliable is mime type in $_FILES superglobal.

P: n/a
This may seem like a stupid question but I want to check before I go
ahead and build this...

I am working on a portal, part of which allows users to upload files.
Part of the array within $_FILES superglobal gives the mime type for the
file. Is this 100% reliable / accurate? If the mime type says the file
type is jpeg is it always right? Two reasons I want to know:

1. Certain types of files mustn't be uploaded, .exe files for example.
2. It is unsafe to rely on file extentions, not least because this
portal will be exposed to Linux.

If the mime type is not reliable what techniques are available to
discover the type of a file?

Many thanks.
Jan 30 '06 #1
Share this Question
Share on Google+
5 Replies


P: n/a
NC
splodge wrote:

I am working on a portal, part of which allows users to upload files.
Part of the array within $_FILES superglobal gives the mime type for the
file. Is this 100% reliable / accurate? If the mime type says the file
type is jpeg is it always right?


It depends on your definition of "right"... If I understand correctly,
MIME type is determined based on the file's extension.

Cheers,
NC

Jan 30 '06 #2

P: n/a
splodge wrote:

I am working on a portal, part of which allows users to upload files.
Part of the array within $_FILES superglobal gives the mime type for the
file. Is this 100% reliable / accurate? If the mime type says the file
type is jpeg is it always right? Two reasons I want to know:


IIRC it relies on the information supplied by the client (if any). When I
had the same problem, rather than try to verify it was a jpg, I just
converted it to a GD file then back to a jpeg.
C.
Jan 30 '06 #3

P: n/a
NC wrote:
splodge wrote:
I am working on a portal, part of which allows users to upload files.
Part of the array within $_FILES superglobal gives the mime type for the
file. Is this 100% reliable / accurate? If the mime type says the file
type is jpeg is it always right?

It depends on your definition of "right"... If I understand correctly,
MIME type is determined based on the file's extension.

Cheers,
NC


Thank you for the reply. So, what would happen if i took a file named
photo.jpg and changed its name to:

1. photo.xyz

2. photo.gif

Different types of files will require different types of processing so
it is very important that I can work out what the file type is.
Jan 30 '06 #4

P: n/a
On Mon, 30 Jan 2006 21:05:38 +0000, splodge <sp*****@blurryfox.com> wrote:
I am working on a portal, part of which allows users to upload files.
Part of the array within $_FILES superglobal gives the mime type for the
file. Is this 100% reliable / accurate?
It is user-supplied data, so is not trustworthy.
If the mime type says the file type is jpeg is it always right?
No.
Two reasons I want to know:

1. Certain types of files mustn't be uploaded, .exe files for example.
2. It is unsafe to rely on file extentions, not least because this
portal will be exposed to Linux.

If the mime type is not reliable what techniques are available to
discover the type of a file?


There is no reliable way to find the "type" of a file because files don't have
types as such; the data could be consistent with being a certain format of
data, but it ultimately depends what program you feed it into.

There's functions that use heuristics to make a decent guess as to the format
of the data, using "magic numbers" - looking for certain known patterns of
bytes corresponding to headers etc.

http://uk2.php.net/manual/en/ref.mime-magic.php

How it's supposed to work is that it doesn't matter what the data is, but
provided you send it _out_ with an appropriate Content-type then nothing bad
should happen. Unfortunately Internet Explorer has a "I think I know better"
mode where it guesses MIME types for downloaded files under various
circumstances, even if you've explicitly stated what type it is, potentially
resulting in them opening up in inappropriate applications.

See: http://ppewww.ph.gla.ac.uk/~flavell/...tent-type.html , and then
prepare to lose hair if you want to do apparently simple things like serve up
HTML source code as text/plain.

--
Andy Hassall :: an**@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
Jan 30 '06 #5

P: n/a
d
"NC" <nc@iname.com> wrote in message
news:11**********************@g47g2000cwa.googlegr oups.com...
splodge wrote:

I am working on a portal, part of which allows users to upload files.
Part of the array within $_FILES superglobal gives the mime type for the
file. Is this 100% reliable / accurate? If the mime type says the file
type is jpeg is it always right?
It depends on your definition of "right"... If I understand correctly,
MIME type is determined based on the file's extension.


Nope - PHP uses the MIME Magic library to determine the mime type of a file
based on the position of key bytes within the file:

http://uk2.php.net/mime_magic

So you could call an .exe .txt, and it would be picked up as an executable.
Cheers,
NC

Jan 31 '06 #6

This discussion thread is closed

Replies have been disabled for this discussion.