What is the difference between $_FILES["file"]["type"] and end(explode(".", $_FILES["file"]["name"])) [closed]

Question

I use var_dump(@$_FILES['file']['type']) to test file type I uploaded

First, I uploaded an exe file called "uninstall.exe", and it returned

"string 'application/octet-stream' (length=24)"

Then, I renamed this file to uninstall.png, it returned

string 'image/png' (length=9)

My conclusion is: $_FILES['file']['type'] only check file extension, not the original file type.

The following code is from w3cschool:

$allowedExts = array("gif", "jpeg", "jpg", "png");
$extension = end(explode(".", $_FILES["file"]["name"]));
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))

I think $_FILES["file"]["type"] in above codes is unnecessary, we can just check file extension using explode() and in_array

I'm just a php beginner, can someone confirm my idea? Thanks!

Answer 1

If you want to be sure that an image was uploaded, use getimagesize, that returns 0 for non-images.

Answer 2

You're absolutely correct. The MIME type is provided by the client and you cannot guarantee it is cor­rect. For that matter, so is the file extension. If you need to be completely sure, you need to look at the file contents.

Answer 3

You should be using a wrapper of GD or Imagick extensions. A very good one is WideImage.