-1

I am wondering what is the correct way to check if a user provided image is an actual image.

I saw the following two examples:

$x = pathinfo('upload.png', PATHINFO_EXTENSION);

Result: png

$x = new finfo(FILEINFO_MIME_TYPE);
$x->file('upload.png');

Result: image/png

Robert
  • 10,126
  • 19
  • 78
  • 130
  • Try to resize it or use [getimagesize](https://secure.php.net/manual/en/function.getimagesize.php) – jDo Apr 01 '16 at 00:06
  • Look at this http://stackoverflow.com/questions/15595592/php-validating-the-file-upload – Angad Dubey Apr 01 '16 at 00:07
  • `getimagesize` .... – zerkms Apr 01 '16 at 00:07
  • 2
    http://stackoverflow.com/questions/15408125/php-check-if-file-is-an-image and http://stackoverflow.com/questions/6755192/uploaded-file-type-check-by-php might help – zedfoxus Apr 01 '16 at 00:07
  • you could use the binary `file` (only available on *nix), but using `finfo` is also a very good way (maybe the best) to do that. – Federkun Apr 01 '16 at 00:20

1 Answers1

0

The latter, an extension can be changed, finfo can be faked as well, but it is more difficult. See the docs for other ways to check. As a commenter warns, it is 'not that hard to wrap harmful executable code in a file identified as a GIF'. But that being said, here;s the image check I use:

if (!$img = @imagecreatefromgif($uploadedfilename)) {
  trigger_error('Not a GIF image!',E_USER_WARNING);
  // do necessary stuff
}

Good luck!

hd1
  • 33,938
  • 5
  • 80
  • 91