I want to implement validation on image files (.jpg, .png, .gif) in such a way that if a user changes the extension of html into jpeg then the system will restrict him that this file is in an invalid format. I have implement the validation on file extension, but I want to implement this validation as well.
And I am uploading video (.wav, .flv, .mp4) and audio (.mp3) files as well, and if someone upload file with wrong extension, the system will restrict him. How I can do this?
tried finfo_file - required pecl fileinfo, php 5.3 and above,
this function will return a REAL mime type of an uploaded file,
based on this info, you can do comparison and blocking any unwanted extension (mime)
Related
A website I am building allows file uploads by authorised users. For any specific category of uploads, a set of file types is allowed, e.g. .pdf and .docx, so that my client can choose what they want to accept.
When uploading, I check the uploaded file's MIME type (using finfo_open(FILEINFO_MIME_TYPE)) against a database table of MIME types for that extension.
In testing, I am uploading a docx file from my PC - it has a docx extension and Windows reports the file type as application/vnd.openxmlformats-officedocument.wordprocessingml.document which is what I expect. However, finfo_open is giving me a MIME type of application/msword.
Does finfo_open's information come from within the file or from something in the browser or the upload process (in which case I guess I'll need to specify additional MIME types allowed) or is it something within the web server (in which case, can it be modified with php.ini)?
I believe in PHP it's safer to use the $_FILES to check out to file MIME type.
Still, I don't think it bothers for this. Are you sure you gave a docx and not just a doc document? Usually application/msword is the mime type for doc file extension... Make sure that you save your file using the right version of microsoft word and in the right format and then try again. Also, I'd try to use a print_r on $_FILES to see if what it tells you about the file? Does it tells you that the file has a different mime type?
How can I upload pdf files after scanning it through scanner feeder ? I am using OCX
plugin to upload images to server, but in the application I am working on, I have to upload PDF document to server. Can you suggest me plugin or library even if is not free, I will be very thankful.
To quote my comment
With PHP I'm pretty sure this isn't possible, how about getting the user to scan the PDF and then upload the PDF?
For example you could just get them to scan all the PDF's as .jpeg's or even .pdf's and then upload them as normal.
However you could look at ActiveX plugins for internet explorer that support this.
http://www.codeproject.com/Articles/45241/How-to-Scan-Tiff-and-PDF-from-the-Web
Or third party software that uploads via FTP to a web server:
http://www.z-scan2send.com/scan-to-web.html
For Chestysoft's csXImage I don't think a plugin with PDF support exists, however it can write PDF's. See http://www.chestysoft.com/ximage/manual.htm#sect1.8.9
csXImage can save images to PDF files. The images are always saved one per page, with the page size set equal to the image size.
And further up the manual:
The following file types are supported: .bmp, .gif, .jpg, .jpeg, .jpe, .png, .wbmp, .wbm, .pcx, .psd, .tif and .tiff.
I read that for images, it's not safe to depend on the file extension and that it's better to try to open the php with an image library like gd to verify its extension.
What about other types of files? If I have a .doc or .pdf or any other file type, how can I really tell the file type is really what it claims it is?
If you are on a *nix system the file command does a pretty good job at guessing mime type. It is not perfect, and fails on 'nested' types like .tar.gz but it is pretty good.
As i understand it Fileinfo uses the same magic numbers approach as file without needing to go to the shell...
I don't know if it works for any file type, but you can check mime type using mime_content_type or filetype.
After a file has been uploaded to the tmp folder, for example a pdf file, would php fileinfo mime check be enough to verify that the file is indeed a pdf file and is not infected?
How do you verify that a user uploaded file has no virus?
so that I could let users download it?
My scenario is this:
A user uploads a pdf file, I then let another user read his pdf file.
php fileinfo mime check be enough to verify that the file is indeed a pdf file and is not infected
No. It will tell you if it looks like a PDF file, but do no virus checking.
How do you verify that a user uploaded file has no virus?
With a virus scanner. There are plenty of commercial and non-commercial packages out there.
A mime check does not guarantee anything, to be reasonably sure that a file has no virus, you will have to pass it through a virus scanner, like for example clam on linux.
I am making a PHP image uploader using the Zend Framework which will upload images to a public directory for people to be able to freely access.
I have so far implemented these measures for security:
- File size validation
- Extension validation
- MimeType validation
- Upon successful validation file is renamed with a image extension in a public folder, i.e. /images/uploads/...
Is this enough security? Can't run it through some antivirus script can you (is this required)?
The file extension and the mime type can be easily faked. Use getimagesize() to see if it really is an image.
you shouldnt be saving your uploads in the public folder at all!
you should save them in a private directory, and use a view helper to load the images for you