Geek Answers Handbook

Is mime type definition the best way to detect a kind of file?

I am working on a upload form in php which should only allow mp3 files.

When the download is complete, I analyze the file to see if it is really mp3. The first step is to define the mime type as "audio / mpeg", I use the finfo_file () libraries and it works fine, except that during the tests some mp3s are rejected because their mime type occurs as: application / octet-stream

my questions: - Should my application abandon these mp3s? they actually play audio - is there a reason why this type of mime is mp3? - is a mime type definition the most reliable way to find out the file type?

+6
mime-types php mp3
source share
3 answers

In most of my applications where download is required, I sometimes agree to check the MIME, which is sent by the browser (client), to a list of predefined MIME types. This approach makes the general assumption that if something suspicious occurs when the browser cannot transfer the MIME type of the downloaded file, I probably do not want to process it at this time.

<?php $valid_mp3_mimes = array( 'audio/mpeg', 'audio/x-mpeg', 'audio/mp3', 'audio/x-mp3', 'audio/mpeg3', 'audio/x-mpeg3', 'audio/x-mpeg-3', 'audio/mpg', 'audio/x-mpg', 'audio/x-mpegaudio', 'video/mpeg', 'video/x-mpeg', ); $uploaded_file_mime = $_FILES['upload_field_name']['type']; if(!in_array($uploaded_file_mime, $valid_mp3_mimes)) { die('Upload is not a valid MP3 file.'); }

You may or may not feel that this is a sufficient method for your purposes. The PHP manual explicitly states that this information is available if the browser provided this information and that the MIME type is NOT marked on the server side and therefore should not be taken for granted.

One thing to consider is the availability of resources on the server, which allow you to authenticate the true MIME file type.

As PHP developers, we like the great flexibility of creating platform-independent code (for example, our web applications built on Windows with XAMPP can be deployed on a Linux hosting environment with very little change). However, when checking for MIME types, we begin to introduce platform-specific methods that require checking for the existence of these tools (such as "file" or "finfo_file").

This may be one implementation worth exploring (taken from the CodeIgniter GitHub repository) that uses these tools and describes the working example about how you intend to get within PHP:

File The MIME type detects the (actual) MIME type of the downloaded file, if possible. https://github.com/EllisLab/CodeIgniter/blob/develop/system/libraries/Upload.php#L983

Sources

PHP Guide Downloading the POST Method - http://www.php.net/manual/en/features.file-upload.post-method.php

Webmaster Toolkit Mime Types - http://www.webmaster-toolkit.com/mime-types.shtml

FILExt .MP3 File - http://filext.com/file-extension/MP3

+2
source share

If you want an extremely reliable way to detect file types without trusting the client to get the correct MIME type, use the file utility on UNIX.

 $ file Black\ Sands\ 01\ Prelude.mp3 Black Sands 01 Prelude.mp3: Audio file with ID3 version 2.2.0, contains: MPEG ADTS, layer III, v1, 320 kbps, 44.1 kHz, Stereo $ file homework/math475-hw8.docx homework/math475-hw8.docx: Microsoft Word 2007+

In PHP, you can use the exec function to call it.

0
source share

The best way to detect files is to use a magic byte or magic number scheme in addition to MIME. Unix file (as well as finfo_file ) actually uses magic bytes to detect this file. So, in short: yes.

Don't worry about what your file looks like and what you can do with it. While it is playing, the file should be in order.

If you really want to do more, you can check the magic bytes yourself. Here is their list .

0
source share

More articles:


All Articles