I have a page for uploading videos, and I want the file types to be mp4 flash and webm files. all the mp4 extension files and webm files work fine but the flash files (.flv and .f4v) are not recognized and therefore php returns the value 'application/octet-stream' which I believe is the default MIME for any files which aren't recognized. is there a better method than this code that will recognize the flash files for there true MIMES (video/x-flv and video/x-f4v) respectively?
$type = $_FILES["uploaded"]["type"];
$allowedTypes = ["video/mp4","video/quicktime","video/x-flv","video/x- f4v",
"video/webm"];
$isRefusedType = !in_array($type, $allowedTypes);
if ($isRefusedType)
{
$message="not an accepted file type";
}
else $message="OK";
Perhaps you can try this code:
<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE); // mimetype
$type = finfo_file($finfo, $filename);
finfo_close($finfo);
?>
As described here, you will need PHP >= 5.3.0, is it a problem?
Another idea could be to check the data signature (see there):
<?php
$s = file_get_contents($_FILES["uploaded"]["tmp_name"]);
if ( substr($s,0,3) == 'FLV' ) { /* It's good! */ }
?>
Watching at the description of $_FILES['userfile']['type'] in the php documentation we can see:
The mime type of the file, if the browser provided this information.
An example would be "image/gif". This mime type is however not checked
on the PHP side and therefore don't take its value for granted.
So the Tiger-222 option seems to be your best chance to get the real value:
<?php
$finfo = finfo_open();
$fileinfo = finfo_file($finfo, $file, FILEINFO_MIME);
finfo_close($finfo);
?>
Related
Is it possible to find out the type of an image encoded as a base64 String in PHP?
I have no method of accessing the original image file, just the encoded string. From what I've seen, imagecreatefromstring() can create an image resource from a string representation (after it's been decoded from base64), but it automatically detects the image type and the image resource itself is a special PHP representation. In case I want to save the image as a file again, I would have no idea if the type I am saving it as corresponds to the original type from which the String representation was created.
FileInfo can do that for you:
$encoded_string = "....";
$imgdata = base64_decode($encoded_string);
$f = finfo_open();
$mime_type = finfo_buffer($f, $imgdata, FILEINFO_MIME_TYPE);
If you dont want to use these functions because of their dependencies you can use the first bytes of the data:
function getBytesFromHexString($hexdata)
{
for($count = 0; $count < strlen($hexdata); $count+=2)
$bytes[] = chr(hexdec(substr($hexdata, $count, 2)));
return implode($bytes);
}
function getImageMimeType($imagedata)
{
$imagemimetypes = array(
"jpeg" => "FFD8",
"png" => "89504E470D0A1A0A",
"gif" => "474946",
"bmp" => "424D",
"tiff" => "4949",
"tiff" => "4D4D"
);
foreach ($imagemimetypes as $mime => $hexbytes)
{
$bytes = getBytesFromHexString($hexbytes);
if (substr($imagedata, 0, strlen($bytes)) == $bytes)
return $mime;
}
return NULL;
}
$encoded_string = "....";
$imgdata = base64_decode($encoded_string);
$mimetype = getImageMimeType($imgdata);
references :- check here the list of file signatures
The solution given by #Marc B is the best one for me (if our php version is > 5.3.0 otherwise we can use the solution given by #Aaron Murgatroyd).
I would like to give a little addition to this solution.
To get the image type you can do it like this :
$split = explode( '/', $mime_type );
$type = $split[1];
In fact, (if you don't know it) the mime type for images is : image/type and type can be png or gif or jpeg or ...
Hope that can help someone and thanks to #Marc B for his solution.
For an exhaustive list of mime type you can look here :
http://www.sitepoint.com/web-foundations/mime-types-complete-list/
The way shown by #Marc B is the nicest.
Should FInfo not be available, the only other way I know is to store the data into a file, and run a getimagesize() on it.
Code below will get the image type from its mime type.
<?php
$base64 = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAKIAAAAxCAYAAABZAHL2AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAgfSURBVHhe7ZwxTBVLFIaH916wACstoDChEENhIxWYoJUmSqeJWkmiNkQS6TBBzSskUStNoNOCYCOJUKmJoVETY6WVjdJrow1UUvDyjfe/OYy7e+/ivbLknS/Z7N3ZndkzZ/45c3ZZ7RgeHt4MjrPD/FXbO86O4kJ0KoEL0akELkSnErgQnUrgQnQqQVuFODo6Go4dO1Y7cpx82ibEycnJMD09HW7cuBF6e3trpY6TTduEuLa2Fvfd3d3hzp078bfj5PH3gQMH/q39bikfPnwIg4ODMRru27cv7N27N7x796521nG20tKImOaDU1NTYX19Pf4+d+6c54tOLi2LiOSC4+PjoaenJ7x58yaW/fjxI3z8+DGcPn06Hg8NDYWVlZW6OB1HtCQisgQr2vGkPDs7G3NDeP/+fXj06FH87fmik0dLIuKXL19i/nfixInQ2dkZ80KiH9Hw+/fvni86DWlZjvj58+dw5syZuIf+/v4wNzcXBQieLzpFtPSpmZyQHJCohxCJjuSHX79+jdExzReXl5djnSpB1MZ2bHb+HNuOiOR7T58+DZcvX97ywpqod/v27XpeCLzYZtsN+SIThUi+m2G1IU9/+fJlePv2bSyjT/zWcdXYthB5KEGACBFBIjQrSAQ3MzNTX471EPPkyZOYMxJxHjx4EM+VhXZoz/kVRMgEJyXSA+NuYNtCRGB2+UIYEqTywmfPnoWrV6/WxUg5MxORXrx4sZ5PloV2eE3k/Mr58+drv0K4fv16mJiYqB1Vm20LEZHxcELUSwVJxGJDMOlDDFHz06dPdXE67eP169cxHdoNtOwfT7EkMBuPHDlSK/kJAmQ5xilXrlyJAm4UCRHwqVOn6ks91/OSXE4lz6Gd58+fx2POI2zyO+5PPcp4rcQ1qehpn+vYuObFixf1tkk12I4ePRqPBU/6HR0dsS8Wlj/1+9ChQ3GS0dfFxcV4/u7du6Grqyveh0krsJHVA1ZXV8P9+/e3tAWpbcDHJAcPHox1KKfP1KOP9NXWVz7OnpVI5WnfGvWBP1awAslOQZ2RkZHcciD9ajTe0PJ/xccgM5DqtMCpY2NjDSMhEZUBQng4BGiTJ1nq045NuHE+D0cMEGLhmGt4V6kndCKy7nvt2rXoKJxDJMfBtI3TcWaWELHn+PHjMc2wTmUA5+fnt+TGApGwLDKIsuPs2bPRNsAGbAEE+urVqygWbEmRbSBB0R/ub9GETH1PX/KESBt5983qw8mTJ+u+JBVT3205PqE9jilvhtJLM4ZjAAmxBGcdgvEMGE5XxAKiiQwt4tKlS1GEvHdkJrPRHmLSIALlOBQRAhESp+mJnYGjDhCJQVGbWYqouQd7hED9LPJECIhfA4HN3JcHMWDyMKmsD+y7U84LRIiNEgP20Rf9qZQJZq8HfM5E0j2xDRstnGMrAn/ovnl9IDoK2UEdOwHxEVCm9tROM5QWIqGbm+FUhMhs4jVBKk5EgygkSBu6i6BtKzjRSMQMhF3CgDqUyzE4Heeky2teulAkQpCwOKeJw14QRbBJObSiCiLS0oVvsBOxAW1gH/VoS4Opuhbs4nr2bKmPOMdWhNrFxrw+IES1LSEiUIt8YSeMFXAjSgtRg5qSipPlkxBNhFPO0QwMDJ1nYBB03v3yoI7dbLTmOBVrHogQZ9v6KTpnRcqApZFAwlcUUfQA/GL7SKqAD7Vtbv7MnKiXYidsKsJmUbtpW2kfdIwPQRNJ5RzjD50HIn2zFApRL0BtTobjWDZYPpg9GJIVLQAHM5gsYSKrTQuRk3tcuHAhChoxcy3CKBIF9yEyU8duZYUsaE9vBMiRisiK4KB720nIZFX0oG3Okc8K7muFqAhjB7gdFI0hqA8cY5MEzHgp4jPBZCe6KDM5/qntmwansymy2NCPcWwYg3MxmuMy7/wwXnmfYOAQ882bN7csG4J7IFSlANYBPLUWCTgP5Y30lVdRLOvpki40KCkSKHvyL6IG0T5LoII+qN6fJM9HsoXoho9BD1kIEAHTD1YwNvkiq29FbPs9YhYYjUARJ4Igb+GBIX1dUBY6hSi0HKRoYJVvWayDmaV5oknRwwv9oV2iU1pX97LRyi5P1hYbUYSErbcDQB38l7W1g2b7wF4PT+lEkq9s39ouRLu0ltmaheiXNTtxjJYAnGKXMznLOgI4tmXKP7U0CpbDtK5FD1qKBELORqB6ULN/P7eDwWDJTmBSKNpQrlwL+zThaJcopEj0O9h70w9shTJ9SPNrnSMqamyA47JRvaUR8XdBgCzBS0tLdaew8UROXqKogKBYBnAo5TiIgeSYZZSBY09+aUEM1KVt63SuR4x5MIjkxDa/AwSq3Ipy2lNOR7kihbCDih0WpRT4gHSCyUu/sYtN7W4Xm1aQZmArlOmDtR9brTDtOfu7WQo/A5OxIBHYsjJk1U+XGz4Jo+PMrj179oTDhw/HckRGzqaO81EtjuBVEh/e4jA6z+/9+/fHz9B423/v3r3A+0vK9SEu13E9EYD6Gxsb4fHjx2FhYSGe53pmsyKUoA735LwGzn72Rnt89obt3OPWrVvxegvt9vX1xWsePny45RM42Ui/1RZgB5NA9mMz9WgjFTPknbd9wi6dL9MHfnMNe+pYH3379q3eN0RPf8pQ+JcVu6T+bp4n2tGms/up1NLs/H9pOiK2A4+IjvCI6FQCF6JTCfw/c3cqgUdEpxK4EJ1K4EJ0KoEL0akELkSnErgQnUrgQnQqgQvRqQQuRKcSdPT39/tfVpwdp2NgYMCF6OwwIfwHN+rCnrjztp8AAAAASUVORK5CYII=";
$image_info = getimagesize($base64);
$extension = (isset($image_info["mime"]) ? explode('/', $image_info["mime"] )[1]: "");
echo $extension;
?>
If you know a minimal amount about the file format structure, you could theoretically look at the top bytes of the file until you could work out what type of file it is.
For example, a GIF image always starts with the following bytes GIF89a. If you can find that string at the begining of the file, you can be reasonably sure that it is a GIF image and absolutely certain it isn't any other image format. (it could still be a text file though, that just happens to start with 'GIF89a'; you'd have to parse more of the file to be absolutely certain)
Likewise, PNG files have the string PNG fairly near the start (it's not quite at the very begining; again, you'd need to research the file format specifics to help you determine how much you'd need to know to be certain).
JPEGs also contain recognisable strings in their headers, although these are more varied and complex. You might want to look out for the string Exif.
Getting the file format definitions would definitely give you more accuracy, but depending on how accurate you need to be, you might learn enough about the files formats just by opening some image files in a binary editor to see how they're structured.
These resources may help you:
http://www.w3.org/Graphics/JPEG/
http://www.w3.org/Graphics/PNG/
Follow PHP.NET Fileinfo :-
$finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
foreach (glob("*") as $filename) {
echo finfo_file($finfo, $filename) . "\n";
}
finfo_close($finfo);
You can use magic numbers to detect a MIME type (check here the list of file signatures). However, file signatures are not 100% reliable and you can easily encounter false positives. Of course, there are tasks when a such solution is more than enough.
So if you have a Base64 string and want to identify its MIME type using file signatures you don't need to decode the Base64. A much faster way is to store the file signatures as Base64 and just check if input starts with one of them. A simple example:
<?php
function detectMimeType(string $base64)
{
$signaturesForBase64 = [
'JVBERi0' => "application/pdf",
'R0lGODdh' => "image/gif",
'R0lGODlh' => "image/gif",
'iVBORw0KGgo' => "image/png",
'/9j/' => "image/jpeg"
];
foreach($signaturesForBase64 as $sign => $mimeType)
{
if(strpos($base64, $sign) === 0) {
return $mimeType;
}
}
return false;
}
var_dump(detectMimeType('R0lGODdhAQABAPAAAP8AAAAAACwAAAAAAQABAAACAkQBADs=')); // image/gif
var_dump(detectMimeType('iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVR42mP4z8AAAAMBAQD3A0FDAAAAAElFTkSuQmCC')); // image/png
var_dump(detectMimeType('JVBERi0xLjUKJYCBgoMKMSAwIG9iago8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvRmlyc3QgMTQxL04gMjAvTGVuZ3')); // application/pdf
var_dump(detectMimeType('/9j/4AAQSkZJRgABAQAAZABkAAD/2wCEABQQEBkSGScXFycyJh8mMi4mJiYmLj41NTU1NT5EQUFBQUFBRERERERERERE')); // image/jpeg
I got this solution from this Js Que-Answer
Additinally : this one is also works properly
$filename=$_FILES['file']['name'];
$type=$_FILES['file']['type'];
$extension=strtolower(substr($filename, strpos($filename, '.')+1));
$size=$_FILES['file']['size'];
if(($extension=='jpg' || $extension=='jpeg') && ($type!='image/jpg' || $type!='image/jpeg')){...
I have a input file, can let user upload jpg/jpeg image only, I have check type, extension, size.
However I'm not sure how to check if user change extension.(ex. abc.php -> abc.jpg)
any thing else I need to check before I save user's image into my server?
You can check the image with exif_imagetype()
http://www.php.net/manual/en/function.exif-imagetype.php
exif_imagetype() reads the first bytes of an image and checks its
signature.
I would suggest using finfo:
<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
foreach (glob("*") as $filename) {
echo finfo_file($finfo, $filename) . "\n";
}
finfo_close($finfo);
/* outputs:
text/html
image/gif
application/vnd.ms-excel
*/
?>
example taken from php document site.
see more info on the php document page http://www.php.net/manual/en/function.finfo-file.php
#Fabian's answer looks good for checking the type of file. While I would suggest a different approach to getting the extension of the file.
Consider a file named stack.overflow.jpg.
$filename = 'stack.overflow.jpg';
// With your code $extension = 'overflow.jpg'
$extension=strtolower( substr( $filename, strpos( $filename, '.' ) +1 ) );
// With pathinfo() $extension = 'jpg'
$extension = pathinfo( $filename, PATHINFO_EXTENSION );
Consider using pathinfo() to get the file extension: http://www.php.net/manual/en/function.pathinfo.php
Providing user to upload images has wide usage, however, checking file extension and MIME type not guarantee correct file type.
Alternative:
I used imagejpeg() and imagecreatefromjpeg() functions for creating the image from $_FILE['userfile']['tmp_name'] and then saving it in images/ dir. In this case, I ignored move_uploaded_file() function.
Are still this code vulnerable to fake image uploading attack?
$filename = $_FILE['inputfile']['name'];
$upload_path = 'images/';
//extract extension
$ext = strtolower(substr($filename, strrpos($filename, '.') + 1));
// return mime type ala mimetype extension
$finfo = finfo_open(FILEINFO_MIME_TYPE);
//get MIME type of the given file
$mime = finfo_file($finfo, $filename);
//close finfo
finfo_close($finfo);
if (is_uploaded_file($_FILES['inputfile']['tmp_name'])) {
//first check: file extension and mime type
if(!in_array($ext, array('jpeg', 'jpg', 'gif', 'png')) && !in_array($mime, array('image/jpeg', 'image/gif', 'image/png')) ){
die("Error1: Invalid Image type");
}
if($ext == 'jpeg' || $ext == 'jpg'){
$im = #imagecreatefromjpeg($_FILE['inputfile']['tmp_name']);
if($im){
$createimage = imagejpeg($im, $upload_path.$_FILE['inputfile']['name']);
if(!$createimage){
die("Error3: Can't create image!");
}
//last check
$filecontent = file_get_contents($upload_path.$_FILE['inputfile']['name']);
//clean the file from any php code
$filecontent = str_replace(array("<?php", "<?", "?>"), "", $filecontent);
$handle = fopen($upload_path.$_FILE['inputfile']['name'], "wb");
fwrite($handle, $filecontent);
fclose($handle);
}
else{
die("Error2: Invalid Image Detected");
}
}
}
One can always embed PHP code safely in a perfectly valid image file. There are too many ways to do that to worth even thinking avoiding them. Many valid image formats, many data containers such as EXIF in jpg for example, pixel level and compression manipulation, etc.
To be on the safe side one should protect the server from arbitrary file inclusion attacks and sanitize the file extensions to escape from apache configuration mistakes.
A more crazy approach is to create a slightly modified copy of the image, more exactly create a new image from the original one modified, a slight resize or color manipulation will delete the bitmap level PHP injections while copying will save you from most of the PHP injected in other data containers within the image.
Here is my code:
if ( $_FILES['photo']['type'] != "image/jpeg" )
echo "You attempted to upload a file of type: " . $_FILES['photo']['type'] . " ... The file must be a JPEG.";
As you can see... my code is checking to see whether or not the file type is a JPEG... if it is, it continues, else, it does not.
But even though the type IS a JPEG, I keep getting the echo that it's not:
"You attempted to upload a file of type: image/jpeg ... The file must be a JPEG."
There is just no way that that echo statement should ever be executed unless the file was NOT a JPEG.
Don't trust the mime types. If you want to be pretty sure, open the file, read the first couple of bytes, and check if it's a JPEG file header.
If you want to be really really sure, use imagecreatefromjpeg to actually load the jpeg file. If this fails, then it's apparently not a real jpeg file, no matter what mime types and file headers tell you. Note, that you need to have GD available to use this function.
I use a simple code for file upload. It actually checks file extension, not mime type. The code is below -
function getFileExtention($name) {
$split = explode('.',$name);
$splitCount = count($split) - 1;
return strtolower($split[$splitCount]);
}
if(getFileExtention($_FILES['input']['name'] != "jpg" && getFileExtention($_FILES['input']['name'] != "jpeg") {
echo "You attempted to upload a file of type: " . $_FILES['photo']['type'] . " ... The file must be a JPEG.";
}
It is unsafe to rely on the mime-type or the filename given in the $_FILES array, as they are given by the browser.
Use finfo_file instead, which will check on the server-side, based on the header/content of the file:
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mimeType = finfo_file($finfo, $_FILES['input']['tmp_name']);
if ($mimeType != "image/jpeg") {
echo "You attempted to upload a file of type: " . $mimeType . " ... The file must be a JPEG.";
}
finfo_close($finfo);
See http://php.net/manual/en/function.finfo-file.php for documentation.
use $ext = pathinfo($_FILES["$key"]['name'], PATHINFO_EXTENSION);
Information directly from PHP's api.
Please can someone help? I have the following code which uploads a file to my server and renames it to whoever the logged in user is. For example the user 'coca-cola-lover' uploads a jpeg - the script would also rename the jpeg 'coca-cola-lover.jpg'.
My problem is that I need it to limit the upload to just jpegs - and also limit the file size to 2mb.
Please help - I was trying to find a solution all night.
Thanks in advance
// Your file name you are uploading
$file_name = $HTTP_POST_FILES['ufile']['name'];
$username = $row_Recordset1['username'];
$ext = end(explode('.', $file_name));
$renamed_file_name = $username;
$new_file_name=$renamed_file_name.'.'.$ext;
//set where you want to store files
//in this example we keep file in folder upload
//$new_file_name = new upload file name
//for example upload file name cartoon.gif . $path will be upload/cartoon.gif
$path= "../sites/images/users/".$new_file_name;
if($ufile !=none)
{
if(copy($HTTP_POST_FILES['ufile']['tmp_name'], $path))
{
echo "Successful<BR/>";
//$new_file_name = new file name
//$HTTP_POST_FILES['ufile']['size'] = file size
//$HTTP_POST_FILES['ufile']['type'] = type of file
echo "File Name :".$new_file_name."<BR/>";
echo "File Size :".$HTTP_POST_FILES['ufile']['size']."<BR/>";
echo "File Type :".$HTTP_POST_FILES['ufile']['type']."<BR/>";
}
else
{
echo "Error";
}
}
getimagesize tells you what format the file is in
as per bgy's comment, you should also force the file extension to be what you want:
$new_file_name=$renamed_file_name.'.'.$ext; // wrong, uses data from the client
$new_file_name=$renamed_file_name.'.jpg'; // ok, just what we want
never trust and never use filenames provided by the client.
I would recommend exif_imagetype:
<?php
if (exif_imagetype('image.gif') != IMAGETYPE_GIF) {
die(The picture is not a gif');
}
For details see here: http://php.net/manual/en/function.exif-imagetype.php
You can use any of the four to detect a mimetype of the file:
finfo_open (by default enabled as of 5.3)
getimagesize (requires enabled GD)
exif_imagetype (requires enabled Exif)
mime_content_type (deprecated as of 5.3)
You can also limit the MimeType from the FileUpload element, but since this is client-side code, it can easily be removed by malicious users (and it's also buggy across browsers):
<input type="file" name="picture" id="picture" accept="image/jpeg"/>
For further information on how to handle file uploads with PHP (including limiting file size), check the manual.
There is also a lot of very similar questions on Stack Overflow already, one being:
Check picture file type and size before file upload in php
You restrict the size via the normal mechanisms, but you'll need to use the fileinfo functions to determine the filetype after uploading.
A few advices for the current code
Use $_FILES instead of $HTTP_POST_FILES.
If you need to get file extensions use $extension = pathinfo($filename, PATHINFO_EXTENSION);.
Use is_uploaded_file and move_uploaded_file.
Don't relay on $_FILES['file']['type'] - it can be modified by user.
Indent your code.
If you want to limit file upload to the following requirements:
Filesize: max 2mb.
File type: image/jpeg
Do something like that:
$tmpName = $_FILES['file']['tmp_name'];
if (file_is_uploaded($tmpName) {
$filesize = fielsize($tmpName);
$mimeType = exif_imagetype('image.gif');
if ($filesize <= 2 * 1024 * 1024 && $mimeType == IMAGETYPE_JPEG) {
$filename = $USERNAME . '.jpg';
if (move_uploaded_file($tmpName, $filename) == false) {
// sth goes wrong
}
} else {
die('Invalid.');
}
}