Can I trust the file type from $ _FILES?

Question

Can I trust the file type from $ _FILES?

Can I trust the file type with $_FILES when uploading images? Or do I need to check again with exif_imagetype() ?

+7

security php upload

Happydeveloper Sep 05 '11 at 13:22

source share

5 answers

Never trust anything that comes from outside, especially uploads files!

Check the size, location, mime / type, extenstion and everything else you can check!

+5

Wesley van opdorp Sep 05 '11 at 13:24

source share

No, you cannot trust the variable $_FILES['userfile']['type'] . The value present in this variable can be faked. You can use finfo_file to more reliably determine the file type:

 $finfo = finfo_open(FILEINFO_MIME_TYPE); // we need mime type echo finfo_file($finfo, "/path/to/uploaded/file"); // displays something like image/gif finfo_close($finfo);

These functions require PHP> = 5.3.0.

+4

Salman a Sep 05 '11 at 13:33

source share

I always use the following function to verify the correct images:

 function Check_Image($Filename) { if ($Check_Image = @getimagesize($Filename)) { return TRUE; } return FALSE; }

+3

Darkbee Sep 05 '11 at 13:24

source share

No, you cannot trust him because this information is provided by the client browser .

$_FILES['userfile']['type'] The mime file type if the browser provided this information. An example is "image / gif". This mime type, however, is not tested on the PHP side and therefore does not take its value for granted.

+2

Jon Sep 05 '11 at 13:27

source share

Sebastian wramba · Accepted Answer · 2011-09-05T13:26:41+0000

In the documentation:

The mime file type if the browser provided this information. An example is "image / gif". This mime type, however, is not tested on the PHP side and therefore does not take its value for granted.

Can I trust the file type from $ _FILES?

More articles: