I have a HTML form for entering a file and the php validates if the file entered is a xls file through the extension .xls !!
Now If a user renames a image or script file say abc.jpeg to abc.xsl the file wont be validated by the php code ! How can i validate if its truly a xls file irrespective of the extension?
Php code for validation
if(in_array($file_ext,$expensions)=== false)
{
echo "extension not allowed, please choose a .xls file.";
exit();
}
Instead of using file extension, I would suggest you to use mime_content_type that Returns the MIME content type for a file. Check link http://php.net/manual/en/function.mime-content-type.php for more info.
You can prepare an array having all the allowed MIME type/ file type then check MIME content type of your uploaded file using function mime_content_type.
echo mime_content_type('test.php'); // returns text/plain
This will help your code to validate file extension/file type in cross platform (Other OS compatibility) issue.
Related
I am trying to implement a functionality that should be to detect pdf file and it's content is valid or invalid. Using following scripts I can easily detect whether file is pdf or not:
$info = pathinfo("test.pdf");
if ($info["extension"] == "pdf"){
echo "PDF file";
}
Now I want to check if a file extension pdf then content of pdf file should be valid.
Please tell how can I check pdf file contents are valid not corrupted or invalid format.
Content of pdf file start with %PDF-version no, So at first get contents of pdf file using following scripts:
$filecontent = file_get_contents("test.pdf");
After that check $filecontent variable using following regular expression in order detect it's valid or invalid format:
if (preg_match("/^%PDF-1.5/", $filecontent)) {
echo "Valid pdf";
} else {
echo "In Valid pdf";
}
Note: Pdf version could be different such 1.0 , 1.5 , 1.7 etc... In my case it was 1.5 also make sure you have placed above code inside of scripts/conditions (if file has .pdf extension).
PHP can create PDF files using the built-in libraries Haru and PDF, but cannot directly read, parse or validate PDF files. You will need an external library or tool for this. You can look into pdftk but it seems to be a Windows-only solution which is probably not what you're looking for.
If I put jpg header (1st line of a jpg file) in a HTML file and save it with jpg extension, then I can bypass the MIME type checking.
eg:
ÿØÿà �JFIF d d ÿì Ducky < ÿî �Adobe dÀ ÿÛ „
hyuhjjh
<script>
alert(hello);
</script>
If I save the above code as a JPG file then it can bypass the MIME type checking.
echo mime_content_type('x.html.jpg'); //shows 'image/jpeg'
I want the script to check the uploaded file content is purely of that content type( jpg/png or pdf or 3gp/mov). For image, document and video type.
OR doesn't contain any script.
Actually I need it for Drupal. So I have to use custom PHP code.
In Drupal 7.50 I have used "File Upload Secure Validator" to validate uploaded file MIME type, But it is useless for the above type of situation.
You need to use some library to actually load the file. For images I used GD to open the target image and check if it returns some reasonable height and width.
Same can be done with the other types. I guess that for video files this can be very resource-demanding, but it's the only way to be sure.
I am using move_file_upload on my server side in php so that client can allow users to upload their kml files to the server. I know that in order to check an image , in php I can use $check = getimagesize(file) but what would be the equivalent for a kml file check ?
I donot want to just check the extension of the file. I wish to know if infact the file is a valid kml file or not. If I only check the extension, someone can just post some other malicious file and change its extension to .kml
If you want to see if the file has the extension KML, you can use:
$filename = $_FILES["file"]["name"]; //or however you are getting the filename
$ext = end((explode(".",$filename)));
if($ext!="kml"){
//Extension is incorrect
}
Checking mime content can be helpful.
I am not quite sure what is the correct mime name of kml files but at least with checking in google it should be something as:
mime_content_type ($file) === 'application/vnd.google-earth.kml+xml'
How ever its possible that there are mimes set to 'application/xml' or 'text/xml' so extension validation is required as well ..
I am currently building a PHP application that lets users upload files. I am currently at the upload page, but my verification system does not work. I am using this system to validate files as audio files.
// Set our file name and extension
$fname = $_FILES['file']['name'];
$extension = strtolower(substr($fname, strpos($fname, '.') + 1));
// Check file
if ($extension == 'mp3' && $_FILES['file']['type'] == 'audio/mpeg') {
//File is valid mp3
} else {
//File is invalid
}
Now this doesn't work, but the weird thing is when I echo out $_FILES['file']['type'] it does not echo out a mime type for audio files. When I do this for any other file type, it echoes it out successfully.
It doesn't give a mime type only for audio files. I have tried it with WAV and M4A files, and it doesn't return one with any of these either. Is it something with the file type, or do I have to edit the .htaccess file or the MIME.types file in my xampp server. Also could there be a better way to validate uploaded files?
Also note that it does this on my xampp server, and the free server that I am using for test purposes.
Thanks for the help.
$_FILES['file']['type'] comes from the browser that uploads the file so you can't rely on this value at all.
Check out finfo_file for identifying file types based on file content. The extension of the file is also unreliable as the user could upload malicious code with an mp3 extension.
I am trying to do a restricted file upload using PHP.
I have used
if (($_FILES["file"]["type"] == "application/dbase")
||($_FILES["file"]["type"] == "application/dbf")
||($_FILES["file"]["type"] == "application/x-dbase")
||($_FILES["file"]["type"] == "application/x-dbf")
||($_FILES["file"]["type"] == "zz-application/zz-winassoc-dbf"))
For me .dbf (i.e Microsoft Visual FoxPro Table type) files are not working. Please suggest to me what I should put for the content type for .dbf .
The browser uploading the file probably doesn't know it's an application/dbf mime-time, and sends it as the generic "application/octet-stream". The client/browser has to set the mime-type to be known on upload, and this can be altered by the user!
Thus MIME-type isn't reliable. If you want to be sure that it's the correct file-type/format, you'll have to examine the uploaded file.
There is another easy way for this problem , instead of inspecting the MIME type,
we can get the file extension of the uploaded file by using this function.
$filename=$_FILES["file"]["tmp_name"];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
$ext = strtolower($ext);
if($ext=="png"||$ext=="gif"||$ext=="jpg"||$ext=="jpeg"||$ext=="pdf"
||$ext=="doc"||$ext=="docx"||$ext=="xls"
||$ext=="xlsx"||$ext=="xlsm"||$ext=="dbf")
{
// your code whatever you want to write;
}
Find an easy blob-upload and download of file here Blob-upload
Defining the content type is up to the browser (or other client application), making it easy to tamper with and cannot be relied upon. My guess is that your browser doesn't recognize the .dbf file and defaults to "application/octet-stream".
You can't depend on the type field of a file upload to actually determine its type. First, it can be spoofed by the client. Secondly, the client simply might not know what the file type actually is and just report 'application/octet-stream' instead.
you'll have to determine what kind of file was uploaded yourself. Fortunately, PHP provides the fileinfo extension, which can help you with determining the type of a file.
Code example based on one from php.net:
<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
echo finfo_file($finfo, $_FILES["file"]["tmp_name"]) . "\n";
finfo_close($finfo);
?>
http://www.php.net/manual/en/ref.fileinfo.php
Try inspecting the MIME type being passed to you when you upload a file of that type. Insert a temporary print $_FILES["file"]["type"]; somewhere in your code, then upload the file to run the code and see what it prints out! You can then copy that type and use it in your if-statement.