Menu
I’m working on an upload form in PHP that must allow only MP3 files.
When the upload is done, I analyze the file to check whether is it really an MP3. The first step is to detect the mime type as audio/mpeg. I use the libraries finfo_file() and works fine except that during the tests some MP3 files are rejected because their MIME type results as application/octet-stream.
My questions are:
387
The most simple way to detect the MIME type of any file is to use MIME_Type's static autoDetect() method. It will try to determine the file's type and return it as a string. If an error occurs, a PEAR_Error object is returned. By default, only the plain MIME type will be returned, without any comments or parameters.
Whereas file extensions are commonly used for your OS to decide what program to open a file with, Mime types are used by your browser to decide how to present some data (or the server on how to interpret received data). Both are optional but it's a good practice to have an agreement.
A media type (also known as a Multipurpose Internet Mail Extensions or MIME type) indicates the nature and format of a document, file, or assortment of bytes. MIME types are defined and standardized in IETF's RFC 6838.
MIME types let the browser know what each file is. Browsers associate other applications, helper applications/extensions to handle certain MIME types. So, setting the correct MIME types will let the browser handle the object/file the way it was meant to be done.
In most of my applications where upload is necessary, I sometimes settle for validating the MIME that is passed by the browser (client) against a list of predefined MIME types. This approach makes a general assumption that if something suspicious is going on where the browser is unable to communicate the MIME type of a file being uploaded, I probably don't want to bother processing it at this time.
<?php
$valid_mp3_mimes = array(
'audio/mpeg',
'audio/x-mpeg',
'audio/mp3',
'audio/x-mp3',
'audio/mpeg3',
'audio/x-mpeg3',
'audio/x-mpeg-3',
'audio/mpg',
'audio/x-mpg',
'audio/x-mpegaudio',
'video/mpeg',
'video/x-mpeg',
);
$uploaded_file_mime = $_FILES['upload_field_name']['type'];
if(!in_array($uploaded_file_mime, $valid_mp3_mimes))
{
die('Upload is not a valid MP3 file.');
}
You may or may not feel this is sufficient method for your purposes. The PHP Manual explicitly states that this information is available if the browser provided this information and that the MIME type is NOT checked on the server side and therefore should not be taken for granted.
One thing to take into consideration is the availability of resources on the server that allow you to authenticate the true MIME type of a file.
As PHP developers, we love the flexibility of creating platform independent code for the most part (e.g. our web applications built on a Windows system running XAMPP can be deployed to a Linux hosting environment with very little modification). However, when validating MIME types, we begin introducing platform dependent methods that necessitate verifying the existence of these tools (such as "file" or "finfo_file").
This might be one implementation worth studying (taken from the CodeIgniter GitHub repository) that utilizes these tools and is about as thorough of a working example as you're going to get within the scope of PHP:
File MIME type detects the (actual) MIME type of the uploaded file, if possible. https://github.com/EllisLab/CodeIgniter/blob/develop/system/libraries/Upload.php#L983
Sources
PHP Manual POST method uploads - http://www.php.net/manual/en/features.file-upload.post-method.php
Webmaster Toolkit Mime Types - http://www.webmaster-toolkit.com/mime-types.shtml
FILExt .MP3 File - http://filext.com/file-extension/MP3
75
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
