When we want to strictly limit the file type, we can simply use $ _ FILES [myFile] [type] to obtain the MIME type of the file and then check whether it is a valid type.
File suffix and MIME type detection
When we want to strictly limit the file type, you can use $ _ FILES ['myfile'] ['type'] to obtain the MIME type of the file and then check whether it is a valid type.
Or we can get the file suffix by taking the last few characters of the file name. Unfortunately, these methods are not enough and can easily change the file extension to bypass this restriction. In addition, MIME type information is sent by the browser. for most browsers, even if it is not all, MIME type information is provided based on the file extension! Therefore, the MIME type, just like the extension, can be easily spoofed.
Use "magic byte"
The best way to determine the file type is by checking the first few bytes of the file-known as "magic byte ". Magic bytes are essentially two to 40 bytes in different lengths in the file header, or signatures at the end of the file. There are hundreds of types of files, many of which have several file signatures associated with them. Here you can see a File signature list.
The lazy method is to use the fileinfo extension. PHP 5.3.0 is enabled by default (according to the official MANUAL). If not, you can enable it by yourself.
For example, in windows:
The code is as follows:
Extension = php_fileinfo.dll
Linux:
The code is as follows:
Extension = fileinfo. so
# If it cannot work properly, add the following
# Mime_magic.magicfile =/usr/share/file/magic
If windows does not work properly:
See: http://www.php.net/manual/en/fileinfo.installation.php#82570
Download file-5.03-bin.zip and decompress it. The share directory contains two files: magic. mgc and magic.
Then add a system environment variable named MAGIC pointing to the magic File. For example, D: \ software \ PHP \ extras \ misc \ magic
The code is as follows:
Function getFileMimeType ($ file ){
$ Buffer = file_get_contents ($ file );
$ Finfo = new finfo (FILEINFO_MIME_TYPE );
Return $ finfo-> buffer ($ buffer );
}
$ Mime_type = getFileMimeType ($ file );
Switch ($ mime_type ){
Case "image/jpeg ":
// Your actions go here...
}
Process image Upload
If you want to only allow Image upload, you can use the built-in getimagesize () function to ensure that the user actually uploads a valid image file. If the file is not a valid image file, this function returns false.
The code is as follows:
// Assume that the name attribute of the file input field is myfile.
$ TempFile = $ _ FILES ['myfile'] ['tmp _ name']; // path of the temp file created by PHP during upload
$ Imginfo_array = getimagesize ($ tempFile); // returns a false if not a valid image file
If ($ imginfo_array! = False ){
$ Mime_type = $ imginfo_array ['Mime '];
Switch ($ mime_type ){
Case "image/jpeg ":
// Your actions go here...
}
}
Else {
Echo "This is not a valid image file ";
}
Read and interpret "magic byte" manually"
If, for some reason, you cannot install the FileInfo extension, you can still manually confirm that by reading the first few bytes of the file, and compare the file types of bytes associated with known magic and specific file types. This process must be a little experimental and incorrect, because there is also a possibility that a few invalid magic bytes are associated with the legal file format.
However, this is not impossible. a few years ago, I was asked to create a script file that only allows true mp3 file uploads. at that time, we could not use Fileinfo, we can only rely on this manual detection method.
I spent some time parsing illegal magic bytes for some mp3 files, but soon I got a stable Upload script.
Before the end of this article, I would like to give you a warning: make sure that you never call an include () to include an uploaded file, because PHP code may be cleverly hidden in the image, and the image can be detected by your file. when such a script runs, it may only cause damage to the system.
Translation: http://designshack.co.uk/articles/php-articles/smart-file-type-detection-using-php/
