2

Whats the best way to determine the mime type or file type , stopping anything malicious getting through and making sure a bug doesn't get in your system.

In my example I need a way of screening so just .mp3 are uploaded to the site. Now I know there is mime_content_type but that gives odd results depending on how the file was made and what browser you use, seeing as it gets its data from the browser, at least that's how I understand it.

this is my code for identifying using mime type. 

if(mime_content_type_new($_FILES["userfile"]) == 'audio/mpeg' ) { do stuff }

then there is using unix command line and interpreting that

$fileinfo = exec("file -b 'song.mp3'"); echo $filinfo;

this outputs something like this.

Audio file with ID3 version 2.3.0, contains: MPEG ADTS, layer III, v1, 192 kbps, 44.1 kHz, Stereo

so we can sort through and check this t match to our file type.

$fileinfo = exec("file -b 'song.mp3'");
$filewewant = "MPEG";
$mpeg = stripos($fileinfo, $filewewant);
$filewewant = "layer III";
$mpeg3 = stripos($fileinfo, $filewewant);

if ($mpeg !== False & $mpeg3 !== False)
    { echo "success"; };

this way seems to work better, regardless of named extension (eg is it renamed it .png) but requires the file to be saved first then sorted through,and doesn't work on windows.

I've also been pointed at http://pear.php.net/package/MIME_Type

Does anyone else have a better way of doing it ? what is the correct way to identify what files are being uploaded to your server ?

Rudiger Kidd
  • 498
  • 1
  • 5
  • 23
  • 1
    Possible duplicate of [How to get the content-type of a file in PHP?](http://stackoverflow.com/questions/1232769/how-to-get-the-content-type-of-a-file-in-php). Having said that, I'd welcome more comprehensive answers here... – deceze Jul 03 '12 at 14:44
  • I didn't see that one when looking, references mime-types allot, just trying to find out what alternatives there are as time as progressed (looking at the date) – Rudiger Kidd Jul 03 '12 at 14:50

2 Answers2

1

MIME types are (should be) obtained by looking at the file's MIME header, a piece of data at the beginning of the file that indicates the MIME.

This is exactly what mime_content_type_new and your UNIX command are doing, so no issue there. Not sure what you mean by a "better" way, you're doing it correctly.

If you are getting different MIME type results because of a browser issue, you should probably create an array of acceptable values and check it with the in_array() method.

I wouldn't recommend leaving MIME type checks like that in the hands of client-side code, especially when security is a big issue. The client has access to the code so it is much easier to fool.

You could, however, do a check on both the client side and the server side. This will save you bandwidth from bad uploads, but still keep the system secure from malicious users.

Here's a nice tutorial on Javascript's FILE API and processing images with Javascript.

http://www.html5rocks.com/en/tutorials/file/dndfiles/

Cheers.

Doug
  • 859
  • 1
  • 9
  • 20
  • thanks for the info and the tutorial. I like the idea of both sides, you're right about keeping it server side for security, and the client side to limit bandwidth. Didn't think of it that way, oops. – Rudiger Kidd Jul 03 '12 at 15:17
0

This it maybe not a proof solution (just new / current browsers), but the new javascript FILE API allows to read the MIME-TYPE without uploading the file. For any server-side validation you have to upload the file -> and you should validate them.

Daniel
  • 601
  • 1
  • 4
  • 13