Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP Upload File Validation

Tags:

php

file-upload

upload

uploading

I am creating file upload script and I'm looking for the best techniques and practices to validate uploaded files.

Allowed extensions are:

$allowed_extensions = array('gif','jpg','png','swf','doc','docx','pdf','zip','rar','rtf','psd');

Here's the list of what I'm doing.

  1. Checking file extension

    $path_info = pathinfo($filename);
if( !in_array($path_info['extension'], $allowed_extensions) ) {
    die('File #'.$i.': Incorrent file extension.');
}

  2. Checking file mime type

    $allowed_mimes = array('image/jpeg','image/png','image/gif','text/richtext','multipart/x-zip','application/x-shockwave-flash','application/msword','application/pdf','application/x-rar-compressed','image/vnd.adobe.photoshop');
if( !in_array(finfo_file($finfo, $file), $allowed_mimes) ) {
    die('File #'.$i.': Incorrent mime type.');
}

  3. Checking file size.

What should I do to make sure uploaded files are valid files? I noticed strange thing. I changed .jpg file extension to .zip and... it was uploaded. I thought it will have incorrect MIME type but after that I noticed I'm not checking for a specific type but if a specific MIME type exist in array. I'll fix it later, that presents no problems for me (of course if you got any good solution/idea, do not hesitate to share it, please).

I know what to do with images (try to resize, rotate, crop, etc.), but have no idea how to validate other extensions.

Now's time for my questions.

  1. Do you know good techniques to validate such files? Maybe I should unpack archives for .zip/.rar files, but what about documents (doc, pdf)?
  2. Will rotating, resizing work for .psd files?
  3. Basically I thought that .psd file has following mime: application/octet-stream but when

I tried to upload .psd file it showed me (image/vnd.adobe.photoshop). I'm a bit confused about this. Do files always have the same MIME type?

Also, I cannot force code block to work. Does anyone have a guess as to why?

like image 597
Tom Avatar asked Aug 20 '10 22:08

Tom

1 Answers

Lots of file formats have a pretty standard set of starting bytes to indicate the format. If you do a binary read for the first several bytes and test them against the start bytes of known formats it should be a fairly reliable way to confirm the file type matches the extension.

For example, JPEG's start bytes are 0xFF, 0xD8; so something like:

$fp = fopen("filename.jpg", "rb");
$startbytes = fread($fp, 8);
$chunked = str_split($startbytes,1);
if ($chunked[0] == 0xFF && $chunked[1] == 0xD8){
    $exts[] = "jpg";
    $exts[] = "jpeg";
}

then check against the exts.

could work.

like image 68
KeatsKelleher Avatar answered Oct 02 '22 09:10

KeatsKelleher
Sign in to Comment

Related questions

Can I use javascript regular expression in php as it is
How to log slow queries in shared hosting MySQL?
Magento "File was not uploaded"
Adding to a multidimensional array in PHP
weird array syntax
PHP session is null when called in other page in safari
How do I compile on linux to share with all distributions?
Best Practice: User generated HTML cleaning
PHP Extension (memcache|memcached) not showing in phpinfo() but showing in php -m and php -i?
PHP code - what does this part of code mean?
is there any way to access all references to given object?
Developing on both Windows & Linux machines simultaneously
cakePHP paginate with post data without sessions, serialization or post to get
Duplicate a image variable GD library
Performance comparison of MemCached with Disk Caching
PHP's _get & _set or unique get and set functions for each variable?
How to save PHP HTTP_USER_AGENT to MySQL field
quickest way to dynamically retrieve image dimensions
True meaning of iterative development and refactoring code
Display message only for the first page load

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!