[RESOLVED] Uploading files - file type problem

foxtrot23

Not sure if this is really a problem related to PHP or not, but here goes anyway. I'm in the process of writing a script (PHP5) that uploads text files to the server. All was working fine, and then suddenly behaviour changed when using Firefox to do the uploads. The file type ($_FILES['userfile']['type']) for the text files is being set by Firefox as 'application/x-download' instead of 'text/plain'. IE6 is fine when running exactly the same pages/scripts - it sends them as 'text/plain'. Any idea what might be causing this?

my_name

Do you have this in your FORM tag?

enctype="multipart/form-data"

Also, I looked in one my old scripts, and here's how I received uploaded files:

copy($_FILES['userfile']['tmp_name'], "folder/where/it/goes/" . basename($_FILES['userfile']['name']));

I don't use "type" at all.

bradgrafelman

Here's an example of using client data when it is not reliable and can be manipulated. The basic rule of thumb I use when making scripts is this: if this variable can be manipulated by the client, don't trust it. Either validate it or use a different method. For example, here's a quote from the manual in regards to the ['type'] index:

This mime type is however not checked on the PHP side and therefore don't take its value for granted.

The first question I'd like to ask is this: why are you concerned with the file type at all?

If it is absolutely necessary, and I would love to know why it is, then you may be able to more accurately find the file type by using a function like [man]mime_content_type/man.

EDIT: Apparently the [man]Mimetype[/man] extension is deprecated in favor of the [man]Fileinfo[/man] extension. Either way, you'd need to do a phpinfo() to check what modules your webhost has installed.

my_name

Yeah, as far as a security measure is concerned, I don't think looking at the file type is even worth it. At best, you might want to check at on the client side, just to save the user (or yourself, if you're the only one using it) some time.

foxtrot23

Form tag is set to enctype="multipart/form-data".

Thanks for the advice on not trusting file type when sent from the client browser. I guess I was also just throwing it in (along with a number of other checks) to ensure my users were not inadvertantly sending files in the incorrect format.

I don't know what I've done, but one day Firefox seemed to be correctly identifiying files as 'plain/text', and then the next it was identifiying them as 'application/x-download'. Anyway, in light of the responses, I guess I'm better off using mime_content_type() which seems to be doing the job ok (although running Apache/PHP5 on Windows, mime_content_type() seems to have a few problems - had to set mime_magic.debug = On in php.ini to get it to work properly. Works fine on Linux).

Thanks for the help.