0

Possible Duplicate:
How to check file types of uploaded files in PHP?

Creating a text file and rename it to anything.jpg and try uploading it on facebook, facebook detects that the file is not an image and says Please select an image file or something like that. How do they do it?

I tested it out on my localhost by creating a dummy html form along with a <input type="file"... element and uploaded an image file created by renaming a text file to something.jpg and the file type in $_FILES['control_name']['type'] showed image/jpeg... How do I block users from uploading such 'fake' images. I think restriction using $_FILES['control_name']['type'] is not a solution, right?

Community
  • 1
  • 1
ShuklaSannidhya
  • 8,572
  • 9
  • 32
  • 45
  • do you check this? http://stackoverflow.com/questions/652002/detecting-mime-type-in-php – azendh Feb 03 '13 at 13:03
  • @azendh How do I check `mime_content_type` on the `$_FILES['control_name']` before uploading it on the server using `move_uploaded_file()`? – ShuklaSannidhya Feb 03 '13 at 13:11

3 Answers3

2

When you process image on server, use image manipulation library (getimagesize for example) to detect it's width and height. When this fails, reject the image. You will probably do it anyway to generate thumbnail, so it is like one extra if.

Josef Kufner
  • 2,851
  • 22
  • 28
1

There are many ways of checking the actual files. How Facebook does it, only the ones who created it know i think :).

Most likely they will look at the first bytes in the file. All files have certain bytes describing what they truely are. For this however you need loads of time/money creating a database or such against which you can validate the uploads.

More common solutions are;

FORM attribute

In a lot of browsers, of course excluding Internet Explorer, you can set an accept attribute which checks on extensions client side. More info here: File input 'accept' attribute - is it useful?

Extension

This is not realy secure, for a script can be saved with an image extension

Read file MIME TYPE

This is a solution like you stated in your question. This however is also easy to bypass and relies on the up-to-date status of your server.

Processing the image

The most reliable (for most developer skills and available time) would be to process the image as a test. Put it in a library like GD or Imagic. They will raise errors when an image is not realy an image. This however will require you to keep that software up to date.

In short, there is not a 100% guarantee to catch this without spending tons of hours. Even then you only get 99,9%. You should weigh your available time against the above options and choose which best suits you. As best practice i recommend a combination of all 3.

This topic is also discussed in Security: How to validate image file uploads?

Community
  • 1
  • 1
mvbrakel
  • 936
  • 5
  • 16
  • but how do I process the image (in GD) using `$_FILES['control_name']`, before uploading it (`move_uploaded_file()`) – ShuklaSannidhya Feb 03 '13 at 13:17
  • 1
    you can't. You could see it as a multi stage rocket. First check client side, then server side on extension and MIME. That is a good first check. Just for added security process the image (after upload). This will indeed costs some extra resources, but if it doesn't validate you coul immediately unlink the file, as you have the full path. – mvbrakel Feb 03 '13 at 13:19
0

Headers in your file won't be the same.

mimipc
  • 1,354
  • 2
  • 14
  • 28