How can I determine the actual types of files uploaded by the browser?

For example, how do you know if a user uploads an image? Obviously, the suffix name is not reliable, and the mime information in the form is most likely to be forged is not reliable. How can I determine the type of all the form information? Do I need to parse this binary file? For example, how do you know if a user uploads an image?

1. The suffix is obviously unreliable and the easiest to forge
2. The mime information in the form is not reliable, and all form information can be forged.

How can I determine its type? Do I need to parse this binary file?

Reply content:

For example, how do you know if a user uploads an image?

1. The suffix is obviously unreliable and the easiest to forge
2. The mime information in the form is not reliable, and all form information can be forged.

How can I determine its type? Do I need to parse this binary file?

There is no other way to parse binary files. Even parsing binary files may also be cheated. PDF files that can be used to jailbreak the iPhone have existed.

There are many things you can't do absolutely. In a single sentence, you can do everything you need.

For imagesgetimagesize()Obtain the imagemimeIn this way, it does not depend on
Common files can be accessed through:
1.Finfo Extension
2.mime_content_type()
3. Call linux commandsexec("file -bi ".escapeshellarg($this->file_src_pathname))To detect
It is sufficient to select an appropriate detection document type.
The security of image uploading is mainly used when downloading and displaying images. If it is a script《script》alert(1)《script》Forgedimage/jpg, The browser will interpret it as html rather than an image to execute an invalid script. The above detection methods can avoid this situation

The simplest and safer method is to verify the signature information of the file.

PHP reference: http://www.codecto.com/article/4.html