How to check file types of uploaded files in PHP?
Take a look at mime_content_type or Fileinfo. These are built-in PHP commands for determining the type of a file by looking at the contents of the file. Also check the comments on the above two pages, there are some other good suggestions.
Personally I've had good luck using something that's essentially system("file -bi $uploadedfile")
, but I'm not sure if that's the best method.
IMHO, all MIME-type checking methods are useless.
Say you've got which should have MIME-type application/pdf
. Standard methods are trying to find something that looks like a PDF header (%PDF-
or smth. like that) and they will return 'Okay, seems like this is a PDF file' on success. But in fact this doesn't means anything. You can upload a file containing only %PDF-1.4
and it will pass MIME-check.
I mean if the file has an expected MIME-type - it will always pass the MIME-type check otherwise the result is undefined.
I assume you are going to have a fixed white-list of file-types that you will accept.
For each of these types, you are going to have to use different techniques to verify that they are valid examples of that format.
There are two related questions:
Does it look roughly like it might be the right type? (For JPEG, you could check the headers, as you mentioned. For many Unix-based formats, you could check the "magic cookie".)
Is it actually a valid example of that type (e.g. For any XML-like format, you could validate against a DTD.)
I think that, for each format, you should ask separate questions for each one, because the answer will be quite different for PDFs compared to ZIP files.