PHP detection upload Excel file type
Objective
Introduce a kind of high-end detection upload file type method, you can prevent suffix modification and other low-end detection errors, the patient can refer to the classmate, I will encapsulate into classes for call
MIME type
When the output is sent to the browser, the browser must launch the appropriate application to process the output document. This can be done through multiple types of MIME (Multipurpose Internet Mail Extensions). In HTTP, MIME types are defined in the Content-type header.
For example, if the client uploads an Excel file to the server, then this is the MIME type of "application/vnd.ms-excel". In PHP, you can get the upload file type by $_file["type".
In the earliest HTTP protocol, there was no additional data type information, all the transmitted data was interpreted by the client as an HTML document, and in order to support the multimedia data type, the HTTP protocol used the MIME data type information appended to the document to identify the data type.
Each MIME type consists of two parts, preceded by a large category of data, followed by a specific kind of definition. (The MIME type table can be queried specifically)
File Detection drawbacks
- File name extension Detection Vulnerability (PS: File extension can be arbitrarily forged)
- File MIME type cannot use $_files[' userfile ' [' type '] (PS: This value can be completely falsified according to the official PHP documentation!) Hackers simply modify the browser's post request header to bypass this code check, and then upload any type of file! )
Detection method (for Excel)
- To determine whether the Excel file is 03 or 07 by using the file name extension
- According to different files, get the binary data of different files, and compare with file_signature, I truncated 03 and 07 of Excel binary data graph, we can refer to, the tool is Madedit
- 03 of Excel
- 07 of Excel (07 can refer to zip detection)
Testing procedures
/** * Detect upload file type * * @param array $file * @return bool $flag */private function Detectuploadfilemime ($file) {//1.through the file extension judgement or 07$flag = 0; $file _array = Explode ( ".", $file ["name"]), $file _extension = Strtolower (Array_pop ($file _array);//2.through the binary content to detect The FileSwitch ($file _extension) {case "XLS"://2003 EXCEL$FH = fopen ($file ["Tmp_name"], "RB"); $bin = Fread ($fh, 8 ); fclose ($fh); $strinfo = @unpack ("C8chars", $bin); $typecode = ""; foreach ($strinfo as $num) {$typecode. = Dechex ($num);} if ($typecode = = "D0cf11e0a1b11ae1") {$flag = 1;} Break;case "xlsx"://Excel$fh = fopen ($file ["Tmp_name"], "RB"), $bin = Fread ($fh, 4); fclose ($fh); $strinfo = @unpack ("C4chars", $bin); $typecode = ""; foreach ($strinfo as $num) {$typecode. = Dechex ($num);} Echo $typecode, if ($typecode = = "504b34") {$flag = 1;} break;} 3.return the Flagreturn $flag;}
Reference links
File type comparison table