I see in the thread: How to check file types of uploaded files in PHP? davr suggests the use of:
system("file -bi $uploadedfile")
to check the file type as a safety measure. porneL makes this suggested addition:
system("file -bi -- ".escapeshellarg($uploadedfile))
Could someone explain how executing a potentially hazardous file with the system() function is a safe way to determine a file type?
The unix command "file" is not executing the file.
From http://en.wikipedia.org/wiki/File_(command):
file is a standard Unix program for recognizing the type of data contained in a computer file using magic numbers.
The same method of checking the file type is suggested here: http://www.php.net/manual/en/function.mime-content-type.php#91646
You can also see what the arguments -bi mean here: http://linux.about.com/library/cmd/blcmdl1_file.htm
-b Do not prepend filenames to output lines (brief mode).
-i Causes the file command to output mime type strings rather than the more traditional human readable ones. Thus it may say
text/plain; charset=us-ascii'' rather thanASCII text''. In order for this option to work, file changes the way it handles files recognised by the command itself (such as many of the text file types, directories etc), and makes use of an alternativemagic'' file. (SeeFILES'' section, below).
