Using file suffixes and MIME type detection
Usually we want to strictly restrict the file type, we can simply use $_files[' myFile ' [' type '] to get the MIME type of the file and then to detect whether it is a legitimate type.
Or we can take the last few characters of the filename to get the file suffix, unfortunately, these methods are not enough and can easily change the file's extension to bypass this restriction. In addition, MIME type information is sent by the browser, and, for most browsers, even if not all, the MIME type information is given based on the file's extension! Therefore, the MIME type, like the extension, can be easily spoofed.
use "Magic bytes"
The best way to determine the file type is by checking the first few bytes of the file-called "Magic bytes". The magic byte is essentially a signature in the file header between 2 and 40 bytes in length, or at the end of the file. There are hundreds of types of files, and quite a few file types have several file signatures associated with them. Here you can see a list of file signatures.
The lazy way is to use the FileInfo extension, PHP 5.3.0 is enabled by default (according to the official manual), if not enabled, you can enable it yourself
As in Windows:
Copy CodeThe code is as follows:
Extension=php_fileinfo.dll
Linux below:
Copy CodeThe code is as follows:
Extension=fileinfo.so
#如不能正常工作, plus this one.
#mime_magic. magicfile=/usr/share/file/magic
The following windows do not work as expected:
Refer to: http://www.php.net/manual/en/fileinfo.installation.php#82570
Download File-5.03-bin.zip, unzip it out, in which the share directory has MAGIC.MGC, magic two files.
Then add a system environment variable called Magic to point to the magic file. such as D:\software\PHP\extras\misc\magic
Copy CodeThe code is as follows:
function Getfilemimetype ($file) {
$buffer = file_get_contents ($file);
$finfo = new Finfo (fileinfo_mime_type);
Return $finfo->buffer ($buffer);
}
$mime _type = Getfilemimetype ($file);
Switch ($mime _type) {
Case "Image/jpeg":
Your actions go here ...
}
process Image uploads
If you intend to allow only images to be uploaded, then you can use the built-in getimagesize () function to ensure that the user is actually uploading a valid image file. If the file is not a valid image file, this function returns FALSE.
Copy CodeThe code is as follows:
Assume that the Name property of the file input field is myfile
$tempFile = $_files[' myFile ' [' tmp_name ']; Path of the temp file created by PHP during upload
$imginfo _array = getimagesize ($tempFile); Returns a false if not a valid image file
if ($imginfo _array!== false) {
$mime _type = $imginfo _array[' mime ');
Switch ($mime _type) {
Case "Image/jpeg":
Your actions go here ...
}
}
else {
echo "This was not a valid image file";
}
manually read and interpret "Magic bytes"
If for some reason you cannot install the FileInfo extension, then you can still manually determine the file type by reading the first few bytes of the file and comparing them with the known magic bytes associated with a particular file type. This process certainly has a little trial and error, as there is also the possibility that a few illegal magic bytes are associated with the legitimate file format.
It was not impossible, however, a few years ago, I was asked to do a script file that only allowed the real mp3 file to be uploaded, and we could not use Fileinfo at the time, we could only rely on this kind of manual detection method.
It took me a while to parse some of the illegal magic bytes of the mp3 file, but soon I got a stable upload script.
Before the end of this article, I would like to give you a warning: Make sure you never call an include () to include an uploaded file, because PHP code is likely to be cleverly hidden in the image, and the image can be successfully detected through your file, when such a script run, it can only cause damage to the system.
Translated from: http://designshack.co.uk/articles/php-articles/smart-file-type-detection-using-php/
http://www.bkjia.com/PHPjc/324061.html www.bkjia.com true http://www.bkjia.com/PHPjc/324061.html techarticle using file suffixes and MIME type detection usually when we want to strictly restrict file types, we can simply use $_files[' myFile ' [' type '] to get the MIME type of the file and then to detect whether it ...
