Been a while since I was here but it is the place to come when nobody else has the answer.

I have not done alot of file upload scritping in the past but some. In most cases the people that were using the script were the ones that were geting the benefit from the website and wouldn't be uploading malicious content. But this time even though there is some minimal level of access need to upload those that have this permission are people of unknown character quality. Thereby dictating a bit of checking should one of them decide to become deviant.

I have searched these forums for; file type, file type upload, file type security, mime type, mime type security, file upload security, and several other variation of such nature.

And of course you try to figure out which threads may address your issue and read them and I have read through mutiple pages of returned search results.

And in almost every case in these forums when questions arose around getting the file type the the thread died with no clear cut solution.

So here I go.

$_FILES['file]['type']
Is unreliable, everyone knows that.

finfo_open(FILEINFO_MIME, "/usr/share/misc/magic")
As best I can tell everyone knows that "/usr/share/misc/magic" is not where the mime datbase file is found and even though I could get an up to date mime file and place on my server I got an error telling me that finfo_open() wasn't a valid function. Which caused research to locate the PECL pear package and even php.net can't point you directly to it.

getimagesize()
This seems to be the direction most almost suggest but

$imagesize = getimagesize($_FILES['file']['tmp_name']);
echo $imagesize['mime'];

is returning multiple blank spaces on any image I tried to upload.

So with my avenues throughly exausted I am looking for some ideas and suggestions.

I assume getimagesize() is the way to go but if even one upload fails to give a mime output it makes the function useless.

While the site doesn't need some impressive over the top security it does have fair amout of data being stored and I would not want to have to fix a mess over a simple thing as having not checked the file type before allowing the upload.

    getimagesize would only work if the file is a recognised image file. But when you say "Which caused research to locate the PECL pear package and even php.net can't point you directly to it." do you mean the link in the installation directory on the [man]fileinfo[/man] page doesn't work, or does it mean that you found it but couldn't get the extension installed?

      The images I was testing were either jpeg's or gif's.

      As to the PECL package link. I did keep looking and later and found the correct package (little bit of google can go a long way). The links from php.net are bit confusing as to what will take you were. Originally I kept ending up having to search for the package and my search result didn't point me to the correct thing, clearly.

      Now while I could install that package I think it would be uneccessary as getimagesize() should do what I need without installing a pear package. So if I can get it figured out it would be ideal the other is a last resort.

        Write a Reply...