PHP upload MIME type restrictions

Question

I have a file upload system in a site which allows upload of .doc, .docs and .pdf files. Currently the PHP script allows upload of any file type. I would like to restrict it to only allow uploading of genuine PDF DOC and DOCX files. I have read that this is best done via checking the MIME type / headers of the file - but cant seem to find an agreed best solution to do this anywhere.

Any tips on the best way to achieve this?

Current upload PHP is:

$meta = $dropbox->UploadFile($_FILES["fileInputFieldName"]["tmp_name"], $upload_name);

Appreciate any tips on how to integrate this into the suggestions please.

http://stackoverflow.com/questions/11601342/upload-doc-or-pdf-using-php — Mayank Vadiya, Oct 26 '15 at 11:11

score 3 · Answer 1 · answered Oct 26 '15 at 11:09

3

Why dont you try the below code

$sys = mime_content_type($_FILES["fileToUpload"]["tmp_name"]);
if($sys == 'application/x-zip' || $sys == 'application/msword'){
    echo ' allowed';
}else{
    echo 'not allowed';
}

answered Oct 26 '15 at 11:09

Justin

321
1
5
19

You can use finfo_file if you are using PHP5 and above . – Justin Oct 26 '15 at 11:13
Thanks Justin, so, to implement this to my usage - which elements do I change to reflect my fileupload system. Why do we need a "tmp_name" element? – dubbs Oct 26 '15 at 11:27
@dubbs `tmp_name` is not an element. It is image property – Anto S Oct 26 '15 at 12:18

dubbs · Answer 2 · 2015-10-26T15:01:58.480

1

I used this in the end for those interested:

$allowedExts = array(
  "pdf", 
  "doc", 
  "docx"
); 

$allowedMimeTypes = array( 
  'application/msword',
  'application/pdf',
  'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
  'application/x-pdf',
  'application/vnd.pdf',
  'text/pdf'
);

$extension = end(explode(".", $_FILES["file"]["name"]));

if ( ! ( in_array($extension, $allowedExts ) ) ) {
  die('Please provide another file type [E/2].');
}

if ( in_array( $_FILES["file"]["type"], $allowedMimeTypes ) ) 
{      
 move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]); 
}
else
{
die('Please provide another file type [E/3].');
}

edited Oct 26 '15 at 15:01

answered Oct 26 '15 at 14:48

dubbs

1,167
2
13
34

But just tested and I took a JPG file and gave it a .pdf file extension and it passed this validation...??? – dubbs Oct 26 '15 at 15:01
This is not safe: the `type` property is sent by the browser and can be faked, or fall afoul of browsers incorrectly recognizing the type (that's probably what happened in the JPG vs. PDF case). Justin's answer is the only safe one. – Pekka Mar 06 '17 at 16:27

score 0 · Answer 3 · answered Oct 26 '15 at 11:18

that is how i restrict extension for image, you can apply this for doc and other files you want.. 

 "i converted $_FILES to $file"

if ($file['profile_pic']['error'] == 0) {
                                         // echo 'hello';
                                $fileName = strtolower($file['profile_pic']['name']);
                                $fileType = $file['profile_pic']['type'];
                                $tempName = $file['profile_pic']['tmp_name'];
                                $fileSize = $file['profile_pic']['size'];

                                $fileExtArray = array('image/jpeg', 'image/jpg', 'image/png', 'image/gif', 'public.jpeg');
                                $random_no = mt_rand() * 64;
                                $uploaddir = '../../Application/img/';
                                $file_name = $random_no . "_profile_" . $_FILES['profile_pic']['name'];
                                $image = $uploaddir . basename($file_name);
                                if (in_array($fileType, $fileExtArray))
                                    move_uploaded_file($_FILES['profile_pic']['tmp_name'], $image);
                          }

score 0 · Answer 4 · answered Oct 26 '15 at 11:32

            $allowedExts = array("bmp", "gif", "jpg","png","jpeg");
                            $RandomNum   = rand(0, 9999);           
                            $ImageName      = str_replace(' ','-',strtolower($_FILES['uploadedimage']['name']));
                            $ImageType      = $_FILES['uploadedimage']['type']; //"document/txt", document/doc etc.
                            $ImageExt = substr($ImageName, strrpos($ImageName, '.'));
                            $ImageExt = str_replace('.','',$ImageExt);
                            if (!empty($_FILES["uploadedimage"]["name"]))
                            {
                                if(!in_array($ImageExt, $allowedExts))
                                {
                                    $message.="<span class='error-message'>Invalid file format of image, only <b>'bmp', 'gif', 'jpg','png','jpeg'</b> allowed.</span><br>";
                                }
                            }
                            if(isset($message) && $message=='')
                            {
                                //image
                                $temp_name=$_FILES["uploadedimage"]["tmp_name"];
                                $imagename=time().'-'.$ImageName;
                                $target_path = "../profile-images/".$imagename;
                                $_SESSION['message']=$message;  
                                }

PHP upload MIME type restrictions

4 Answers4