What is the difference between $_FILES["file"]["type"] and end(explode(".", $_FILES["file"]["name"]))

Question

I use var_dump(@$_FILES['file']['type']) to test file type I uploaded

First, I uploaded an exe file called "uninstall.exe", and it returned

"string 'application/octet-stream' (length=24)"

Then, I renamed this file to uninstall.png, it returned

string 'image/png' (length=9)

My conclusion is: $_FILES['file']['type'] only check file extension, not the original file type.

The following code is from w3cschool:

$allowedExts = array("gif", "jpeg", "jpg", "png");
$extension = end(explode(".", $_FILES["file"]["name"]));
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))

I think $_FILES["file"]["type"] in above codes is unnecessary, we can just check file extension using explode() and in_array

I'm just a php beginner, can someone confirm my idea? Thanks!

Yes, I believe many of us know that the file type can be spoofed. — Class, Mar 24 '13 at 22:50
`$_FILES['file']['type']` does not check extension - it is information send in request headers from user machine. It can be used as a hint (for non standard file formats, that is recognizable on user machine but not on server) but should not be trusted in terms of security. — dev-null-dweller, Mar 24 '13 at 22:56
@user1970939 finding something wrong on w3schools is not that hard... (also note that this is not `w3c`schools but `w3`schools) — dev-null-dweller, Mar 24 '13 at 22:56

score 7 · Accepted Answer · answered Mar 24 '13 at 22:49

7

You're absolutely correct. The MIME type is provided by the client and you cannot guarantee it is correct. For that matter, so is the file extension. If you need to be completely sure, you need to look at the file contents.

answered Mar 24 '13 at 22:49

icktoofay

126,289
21
250
231

I'm glad my idea got confirmed, someone said:"the extension of the file and 'file type' can be differ, so someone can not upload executable file with .png extension with $_FILES["file"]["type"]." I think he is wrong – Eathen Nutt Mar 24 '13 at 22:54
@user1970939: Well, someone actually could provide a file named `file.exe` with a MIME type of `image/png`. They're both provided by the client and are not required to be consistent. – icktoofay Mar 24 '13 at 22:59

score 7 · Answer 2 · answered Mar 24 '13 at 22:54

7

If you want to be sure that an image was uploaded, use getimagesize, that returns 0 for non-images.

answered Mar 24 '13 at 22:54

darthmaim

4,970
1
27
40

and some JPEGs even. Mostly JPEGs that come from digital cameras. – Emery King Mar 24 '13 at 23:04
thanks for mentioning getimagesize – Eathen Nutt Mar 24 '13 at 23:05
1

@darthmaim absolutely incorrect! `getimagesize` can and will return successfully for some non-images. See [here](http://php.net/manual/en/function.getimagesize.php) – jdrake Nov 20 '17 at 11:24
1

It says in the official PHP docs NOT to use `getimagesize`. "Do not use getimagesize() to check that a given file is a valid image. Use a purpose-built solution such as the Fileinfo extension instead." – Edward Jul 28 '19 at 22:11

score 1 · Answer 3 · answered Mar 24 '13 at 23:24

1

You should be using a wrapper of GD or Imagick extensions. A very good one is WideImage.

answered Mar 24 '13 at 23:24

Lucas Freitas

194
12

What is the difference between $_FILES["file"]["type"] and end(explode(".", $_FILES["file"]["name"]))

3 Answers3

Linked