Checking file type when uploading
in [General]
|
Prev: Session Vars loaded from MSSQL Query drop, those loaded from MYSQL Query stick (SOLVED)
Next: GD Watermark Question
From: Ashley Sheridan on 18 Sep 2010 05:53 On Sat, 2010-09-18 at 02:46 -0700, Michael Shadle wrote: > There is a fileinfo module for php (and it's packaged in 5.3) > > http://www.php.net/manual/en/intro.fileinfo.phphttp://www.php.net/manual/en/intro.fileinfo.php > > However after trying to use "file" in a system call back in the day its great with graphics and some other stuff, but a large number of the video files came out with just a generic binary type. The site needed both pictures and videos to be validated; I had to relax the restriction because most of the video content couldn't be identified. > > I would say transcode it (if its videos) so its normalized and consistent with the rest of the site, and ffmpeg etc. will let you know if its not a valid type your server can support. YMMV with fileinfo or system("file") which I believe should give you the same results. Depends on what content you are handling! > > On Sep 18, 2010, at 2:32 AM, Ashley Sheridan <ash(a)ashleysheridan.co.uk> wrote: > > > On Sat, 2010-09-18 at 11:21 +0200, Peter Lind wrote: > > > >> On 17 September 2010 23:25, Jim Lucas <lists(a)cmsws.com> wrote: > >>> Catherine Madsen wrote: > >>>> Hi! > >>>> > >>>> I have created a form following the PHP manual to upload files and need > >>>> to restrict the upload to only PDF. How do I check the file type > >>>> ($_FILES['userfile']['type']?) and where: on the form page or on the > >>>> validation page? I want to be able to tell the users that their file > >>>> doesn't have the right format. Thank you very much for your help! > >>>> > >> > >> You need to use something like http://www.fpdf.org/ to try and > >> actually open the uploaded file - anyone can fake an extension. > >> > >> Regards > >> Peter > >> > >> -- > >> <hype> > >> WWW: http://plphp.dk / http://plind.dk > >> LinkedIn: http://www.linkedin.com/in/plind > >> BeWelcome/Couchsurfing: Fake51 > >> Twitter: http://twitter.com/kafe15 > >> </hype> > >> > > > > > > An exec() call to the 'file' command (assuming you're on a Linux server) > > should give you back the correct file type as well. I just tested mine > > with file-5.03 on a mis-named file and it correctly detected it. That's > > not to say a carefully crafted file couldn't trick it, but it might be > > good as a general checker where it would be a lot of hassle trying to > > check every single file type by opening it up. > > > > Thanks, > > Ash > > http://www.ashleysheridan.co.uk > > > > > Yeah, video has always been a bit of an issue with file. Mplayer has a command line option to return specifi bits of information about a video clip though, such as resolutions, frame rate, length, codec and wrapper, etc. Thanks, Ash http://www.ashleysheridan.co.uk
From: tedd on 19 Sep 2010 09:57
At 1:40 PM -0700 9/17/10, Catherine Madsen wrote: >Hi! > >I have created a form following the PHP manual to upload files and need >to restrict the upload to only PDF. How do I check the file type >($_FILES['userfile']['type']?) and where: on the form page or on the >validation page? I want to be able to tell the users that their file >doesn't have the right format. Thank you very much for your help! >-snip- >Catherine Catherine: Two things: First, you can't do anything to the file before you upload it. You must have the file before you can test it. Second, extensions can be bogus. As such, I would recommend examining the contents of the file after it has been uploaded. For example, if you examine a pdf file you will find that most have "PDF" appearing within the first four bytes. Likewise, jpeg files have "JFIF" appearing within the first 10 bytes and gifs have "GIF" appearing as the first three bytes. Most files have some indication of what they are in their headers. Now, this does not mean that the file having the proper header identification is guaranteed to be not something else, because it can be something else. I have an example of a PNG file that is a javascript script that can be run by simply loading it. It's very interesting. The programmer used a PNG generator to reduce the size of his script to get it under the weight (size) restrictions of a contest. Very imaginative, but it shows that sometimes things are not what they claim to be. Cheers, tedd -- ------- http://sperling.com/ |