2

I have an application that needs to support uploading of content files such as PDFs, images, etc.

What is the most reliable method of ensuring that I only get the kinds of files I specify, and no other files such as executables? Should I just look at the file extension or content-type, or is there a better way?

Aaronaught
  • 120,909
  • 25
  • 266
  • 342
eomeroff
  • 9,599
  • 30
  • 97
  • 138
  • 1
    Best for what purpose exactly? The extension can be faked, the content type can be faked as well... – Sklivvz Apr 24 '11 at 22:22
  • 1
    Validation is up to you and the nature of your application. It could be for extension or file size or if it's essential you could validate the contents before you accept/store them on server. – Bala R Apr 24 '11 at 22:23
  • It is for purpose of communication between user and provider is can contain pdf documents screen shot images and similar. How can I be sure that user is disabled to upload executable files and other problematic files (many of them I am not aware of) – eomeroff Apr 24 '11 at 22:29
  • Validation should be based on whitelist not blacklist. I know it's not a complete answer to your question, but in this case I think it's all I can say. – kubal5003 Apr 24 '11 at 22:43
  • 1
    All: Please consider editing as an alternative to closing. Yes, this question was poorly-written, but there clearly *is* a question here. It can be answered and *has* been answered. – Aaronaught Apr 25 '11 at 15:54
  • possible duplicate of [How to get the file type in PHP](http://stackoverflow.com/questions/1740406/how-to-get-the-file-type-in-php) – NikiC Apr 26 '11 at 21:47

2 Answers2

1

Similar question from here that I answered to previously. The first 2-3 characters will tell you more explicitly the TYPE of file regardless of the file extension.

Community
  • 1
  • 1
DRapp
  • 47,638
  • 12
  • 72
  • 142
1

I would follow this process at minimum (although to be really secure you may need to do more depending on the nature of your files)

1) Check for appropriate file extension

2) Check for the file's magic number

3) Read in the first x bytes (ex: perhaps 1000 bytes) and see if they match with that type of file's format.

Jason Moore
  • 3,294
  • 15
  • 18