Extension validation in php

Question

I've been trying and retrying at this code trying to get the file extension and conditionally check against it, but due to the files placement in flow I can't see what's going into $ext.

Can anyone pinpoint what is going wrong here? It's just manipulating the uploads file for dropzone.js.

if (!empty($_FILES)) {

    $tempFile = $_FILES['file']['tmp_name'];          //3             

    $targetPath = dirname( __FILE__ ) . $ds. $storeFolder . $ds;  //4

    $targetFile =  $targetPath. $_FILES['file']['name'];  //5

    $ext = end(explode(".", $_FILES['file']['tmp_name']));

    if(filesize($tempFile) < 6000000 and $ext == "png"){
        move_uploaded_file($tempFile,$targetFile); //6
    }

}

Answer 1

You are using tmp_name variable to get extension which will always give you file with .tmp extension.

In place of

$ext = end(explode(".", $_FILES['file']['tmp_name']));

Use this :

$ext = end(explode(".", $_FILES['file']['name']));

Update :- But it is better to validate the file type by checking its mime time(as said by @castis), as some user might rename its file with some extension and upload it.

Below is a code sample to validate a text file, you can use similar method to validate image type.

$file_type =  mime_content_type($_FILES['img']['tmp_name']);

if($file_type == 'text/plain'){
    echo "file type is text";
}
?>

<form action="#" method="post" enctype="multipart/form-data">
  <input type="file" name="img">
  <input type="submit" value="Submit">
</form>