Image Uploading

Orc · 02-04-2008, 04:49 PM

When making an upload script, does the name key ( e.g.

PHP Code:


			
$_FILES['image']['name']

) contain the file type aswell? (e.g. .JPG) or do I have to just get that from

PHP Code:


			
$_FILES['image']['type']

Just wondering. :]

Village Idiot · 02-04-2008, 05:00 PM

Edit: I feel like an idiot. Yes it does contain the extention. But the type var does not contain data like .jpg

PHP: Handling file uploads - Manual
A complete reference on that.

For your question, type returns the MIME type. But do NOT rely on this because it is not checked for authenticity and can be forged. What I do is this

PHP Code:


			
$filetype2 = explode('.',$file_name);
$filetype = $filetype2[sizeof($filetype2)-1];
$filetype = strtolower($filetype);


if($filetype == 'jpeg' ||
$filetype == 'jpg')
{
//continue
}

That gets the value after the last period (so filename.jpg.php cant trick it like it can some). As long as the last extension is acceptable, the server will run it as that no matter what content.

Note: We subtract one from sizeof because it starts at one, not zero like arrays do.

Salathe · 02-04-2008, 06:43 PM

You state that people shouldn't rely on the MIME type passed along with the uploaded file, because it is not checked for authenticity and can be forged, but have no qualms with 'trusting' the file extension?

Also, using an alternative method, the extension can be grabbed with: $ext = pathinfo($filename, PATHINFO_EXTENSION);

Finally, to answer the original question posed by Orc, $_FILES[...]['name'] will contain the name of the file as sent by the browser (eg. myimage.jpg), extension and all.

Village Idiot · 02-05-2008, 12:49 AM

If the files name extension is correct it cannot pose a threat, the server runs files based off what those letters are. It doesn't matter what code you put in a jpg, it cant execute a script unless there is some serious error with the server OS.

Orc · 02-06-2008, 06:52 PM

Thanks guys. I was just trying to only strict .GIF .PNG .JPG image types, to others by throwing an exception if they don't match with gif nor png nor jpg.

EyeDentify · 02-07-2008, 12:22 PM

Im in the process of developing a fileserver platform for personal use and for the fun of it, powered by PHP5 and MySQL.

And so far i´ve built in Mime checks, and Size checks. and will use Salathe´s method to check the file extensions also.

For double security.

Would one check for something else ?

I was thinking about using some image functions to make sure "image.jpg" are in fact a image file.

/EyeDentify

Village Idiot · 02-07-2008, 03:08 PM

Either one should work, I dont see why you need to be redundant. If you want to make tripple sure it is a valid image, run it though a GD process, it will return an error if the image isnt valid. Although for speed reasons that would be a ridiculous measure.