Using file suffixes and MIME type detection
Usually when we want to strictly restrict the file type, we can simply take $_files[' myFile ' [' type '] to get the MIME type of the file and then check whether it is a valid type.
Or we can take the last few characters of the file name to get the file suffix, unfortunately, these methods are not enough to easily change the file extension to circumvent this restriction. In addition, MIME type information is sent by the browser, and for most browsers, even if not all, the MIME type information is given based on the file's extension! Thus, MIME types, like extensions, can be easily spoofed.
use "Magic byte"
The best way to determine the file type is by checking the first few bytes of the file-called the "magic Byte." The magic byte is essentially a signature from 2 to 40 bytes in the header of a file, or at the end of a file. There are hundreds of types of files, and quite a few file types have several file signatures associated with them. Here you can see a list of file signatures.
The lazy way is to use the FileInfo extension, PHP 5.3.0 by default is enabled (according to the official manual), if not enabled, you can enable your own
If you are under Windows:
Copy Code code as follows:
Extension=php_fileinfo.dll
Linux below:
Copy Code code as follows:
Extension=fileinfo.so
#如不能正常工作, plus the following one.
#mime_magic. magicfile=/usr/share/file/magic
If you do not work under Windows:
can refer to: http://www.php.net/manual/en/fileinfo.installation.php#82570
Download File-5.03-bin.zip, extract it out, in which the share directory has MAGIC.MGC, magic two files.
Then add a system environment variable named Magic to the Magic file. such as D:\software\PHP\extras\misc\magic
Copy Code code as follows:
function Getfilemimetype ($file) {
$buffer = file_get_contents ($file);
$finfo = new Finfo (fileinfo_mime_type);
Return $finfo->buffer ($buffer);
}
$mime _type = Getfilemimetype ($file);
Switch ($mime _type) {
Case "Image/jpeg":
Your actions ...
}
Processing image upload
If you plan to only allow images to be uploaded, then you can use the built-in getimagesize () function to ensure that the user is actually uploading a valid image file. If the file is not a valid image file, this function returns FALSE.
Copy Code code as follows:
Suppose the Name property of the file input field is myfile
$tempFile = $_files[' myFile '] [' tmp_name ']; Path of the temp file created by PHP during upload
$imginfo _array = getimagesize ($tempFile); Returns a false if not a valid image file
if ($imginfo _array!== false) {
$mime _type = $imginfo _array[' mime ');
Switch ($mime _type) {
Case "Image/jpeg":
Your actions ...
}
}
else {
echo "This isn't a valid image file";
}
manually read and interpret "Magic bytes"
If for some reason you cannot install FileInfo extensions, then you can still manually determine the file type by reading the first few bytes of the file and comparing them with the known magic associated with a particular file type. This process is certainly a bit of a trial and error, as there is a possibility that a few illegal magic bytes are associated with the legitimate file format.
But it's not impossible, a few years ago, I was asked to do a script file that only allowed real MP3 files to upload, and we couldn't use Fileinfo, we could only rely on this manual detection.
It took me a while to parse some of the illegal magic bytes of some MP3 files, but soon I got a steady upload script.
Before the end of this article, I want to give you a warning: Make sure you never call an include () to include an uploaded file, because the PHP code is likely to be cleverly hidden in the picture, and the picture can be successfully detected through your files, and when such a script is run, it can only cause damage to the system.
From: http://designshack.co.uk/articles/php-articles/smart-file-type-detection-using-php/
