A website I am building allows file uploads by authorised users. For any specific category of uploads, a set of file types is allowed, e.g. .pdf and .docx, so that my client can choose what they want to accept.
When uploading, I check the uploaded file's MIME type (using finfo_open(FILEINFO_MIME_TYPE)) against a database table of MIME types for that extension.
In testing, I am uploading a docx file from my PC - it has a docx extension and Windows reports the file type as application/vnd.openxmlformats-officedocument.wordprocessingml.document which is what I expect. However, finfo_open is giving me a MIME type of application/msword.
Does finfo_open's information come from within the file or from something in the browser or the upload process (in which case I guess I'll need to specify additional MIME types allowed) or is it something within the web server (in which case, can it be modified with php.ini)?
I believe in PHP it's safer to use the $_FILES to check out to file MIME type.
Still, I don't think it bothers for this. Are you sure you gave a docx and not just a doc document? Usually application/msword is the mime type for doc file extension... Make sure that you save your file using the right version of microsoft word and in the right format and then try again. Also, I'd try to use a print_r on $_FILES to see if what it tells you about the file? Does it tells you that the file has a different mime type?
Related
We have a PHP 7.4 code were we upload video files.
All MP4 are seen as MIME=video/mp4.
However in rare occasions and mp4 file is detected by PHP as video/quicktime which we do not allow.
the HTTP Post says it is a video/mp4.
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $file['file']['tmp_name']);
finfo_close($finfo);
Why would mime change if extension is the same? is php looking inside the file for video format?
The function you are using is examining the contents of the file rather than the file name to determine what the apropriate MIME type is.
From the Fileinfo extension documentation where the finfo_* family of functions comes from:
The functions in this module try to guess the content type and encoding of a file by looking for certain magic byte sequences at specific positions within the file. While this is not a bullet proof approach the heuristics used do a very good job.
The rare instances you are encountering are likely the result of someone saving or renaming a QuickTime file with the wrong extension.
I have a simple file upload that only allows zip files. On my machine (Windows 7, Firefox 19.0.2) it works fine. On another machine (Windows 8, Firefox 19.0.2) the file type check fails when I upload the same file.
On the Windows 8 machine the mime type of the .zip is application/octet. Why? Also, I haven't come across this mime type before. I was expecting application/octet-stream.
What is application/octet used for and why is it different on the other machine?
Never heard of application/octet. Guessing it is just equivalent to application/octet-stream. It is just the catch all anyway.
Maybe take a look at this: http://msdn.microsoft.com/en-us/library/ms775147%28v=vs.85%29.aspx
The MIME types "text/plain" and "application/octet-stream" are termed
ambiguous because they generally do not provide clear indications of
which application or CLSID should be associated as the content
handler...
...and defaulting to the final determined MIME type of
"application/octet-stream." Other types of files, such as .reg files,
behave similarly.
Finally, if no file name extension is found, or one is found with no
associated MIME type or registered application, the MIME type
"text/plain" is returned if the data scan indicated predominantly
text, or "application/octet-stream" if the data scan indicated binary,
because this is the furthest correct determination that could be made.
I would like upload .docx, but
In $_FILES['field']['type'] is application/vnd.openxmlformats-officedocument.wordprocessingml.document, but in mime_content_type() return application/zip
Why these types are diffrent?
Which is good?
The DOCX format consists of a number of different files all wrapped up in a zip file. The software you are using is examining the file, seeing it is a zip file and reporting it with the standard MIME type for zip.
"Good" is somewhat subjecting, but application/vnd.openxmlformats-officedocument.wordprocessingml.document is probably better as it is more specific.
I'm trying to allow safe upload of web fonts in our application, by checking against mime types. This works for most types of files we allow, but it's a problem for web fonts.
We check the mime-type by using PHP's http://php.net/manual/en/book.fileinfo.php
The problem is that php will detect all web fonts as mime "application/octet-stream", but allowing that, would allow .exe or many other possibly dangerous file uploads.
What is the best way to handle upload of this kind of files?
Find a magic file that contains info about the font formats, and pass that to finfo_open().
I don't rely on mime checkers built in the PHP. I always have problems with them. If your running linux, use the PHP's exec command to execute mimetype command in bash and return it to PHP.
U should use phpinfo to check extension, mime type can be fake, and U can get .php file with mime type of a pdf.
EDIT
$file = "abc.ttf";
if(in_array(strtolower(pathinfo(file, PATHINFO_EXTENSION)), array("ttf")))
{
// OK
}
u can add more extensions to array
If TTF files are the only ones allowed to be uploaded, use this:
http://www.phpkode.com/scripts/item/ttf-info-plus/
I read that for images, it's not safe to depend on the file extension and that it's better to try to open the php with an image library like gd to verify its extension.
What about other types of files? If I have a .doc or .pdf or any other file type, how can I really tell the file type is really what it claims it is?
If you are on a *nix system the file command does a pretty good job at guessing mime type. It is not perfect, and fails on 'nested' types like .tar.gz but it is pretty good.
As i understand it Fileinfo uses the same magic numbers approach as file without needing to go to the shell...
I don't know if it works for any file type, but you can check mime type using mime_content_type or filetype.