Finfo_file on uploaded file to determine mime-type

Question

Im trying to determine the mime-type of an uploaded file, i want to use fileinfo(), this is what ive been trying, it isnt working:

$uploadedfile = $_FILES['soup']['tmp_name'];
if(isset($uploadedfile))
{
    $uploadedname = $_FILES['soup']['name'];
    $file=$uploadedsong;
    $file.=$uploadedname;
    $finfo = finfo_open(FILEINFO_MIME_TYPE); 
    $mime = finfo_file($finfo, $file);

Unfortunately the finfo_file doesnt seem to be running, Im assuming i have the following $file set incorrectly for this, is there a way i can do this properly with a newly uploaded file using $_FILE like this? or am i going at this problem the completely improper way. Using a file i have pre-set in another directly, and setting $file="folder/file.doc" works properly.

Lawrence Cherone · Accepted Answer · 2015-06-03T08:19:29.400

34

You should be passing the path to the finfo_file function not the filename.

<?php 
if (isset($_FILES['soup']['tmp_name'])) {
    $finfo = finfo_open(FILEINFO_MIME_TYPE);
    $mime = finfo_file($finfo, $_FILES['soup']['tmp_name']);
    if ($mime == 'application/msword') {
        //Its a doc format do something
    }
    finfo_close($finfo);
}
?>

edited Jun 03 '15 at 08:19

answered Feb 27 '12 at 00:05

Lawrence Cherone

46,049
7
62
106

In your php.ini file, make sure you have this entry: extension=fileinfo.so or in windows: php_fileinfo.dll – metamagikum Mar 13 '15 at 08:04
1

Notice: it wont work correctly if the document is of type `xlsx`, `docx`, `pptx` e.t.c as it would return `inode/x-empty` and `pdf` would return `text/html` rather than `application/pdf` – Muhammad Omer Aslam Feb 25 '19 at 14:33
I have been looking for FILEINFO_MIME_TYPE example Thank you I found this. – Aazad R khan Nov 02 '22 at 12:05

score 1 · Answer 2 · answered Dec 04 '17 at 10:45

I use the finfo() buffer() function as well as file_get_contents() from the php platform as below

$finfo = new finfo(FILEINFO_MIME);
$mimetype = $finfo->buffer(file_get_contents($filename)); #gives you mime type

you need to be on php 5.3 or higher and make sure you have the finfo() extension installed. for linux extension=fileinfo. and in windows: php_fileinfo.dll

you can have an array of accepted mime types and then check if it exists in that array

$acceptedMime = [];
if(in_array($mimetype, $acceptedMime, true) === true){
  #mime type is valid. Proceed!
}

Another alternative to avoid having to check mime types would be to store file uploads completely out of the document root folder.

score -1 · Answer 3 · answered Jan 08 '15 at 16:18

-1

I know this is a bit old, but since you're using the $_FILES super global, can you use the type key of the file array (i.e. $_FILES['soup']['type']) rather than having the server check once the file is uploaded?

answered Jan 08 '15 at 16:18

Jon Gallup

317
3
11

5

Using the $_FILES array parameters to verify file type is spoof-able. That is why the finfo_file was created so we can actually check the binary of the file to determine if it is really for example an image file and not a php file with its file extension renamed to jpg, in which case the $_FILES array type would give jpg. – jessiPP Oct 13 '15 at 05:11
It's still quite easy to spoof the first bytes of a php files to trick finfo_file into thinking it's jpg. – MyUsername112358 Jan 10 '19 at 12:34

Finfo_file on uploaded file to determine mime-type

3 Answers3

Linked