Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts

    How to validate file uploads by mime type

    I've built my first file upload script, and I'm needing to be able to validate the files by their mime type, but I'm running into some problems that I can't find answers to via Google or here. Here's an example of the code I'm using so far:

    PHP Code:
    //Check extensions for documents
    if ($resource_type == 'document') {
        
    $allowed = array('application/pdf' => 'pdf',
                    
    'text/rtf' => 'rtf',
                    
    'application/rtf' => 'rtf',
                    
    'application/msword' => 'doc',
                    
    'application/octet-stream' => 'doc',
                    
    'application/vnd.ms-excel' => 'xls',
                    
    'application/vnd.ms-publisher' => 'pub',
                    
    'application/ppt' => 'ppt',
                    
    'application/vnd.ms-powerpoint' => 'ppt',
                    
    'text/txt' => 'txt',
                    
    'text/plain asc ' => 'txt');

    //Check that the uploaded type is allowed.
        
    if (!array_key_exists($_FILES['resource']['type'], $allowed)) {
            
    $Error_Stat 1;
            
    $Message Error("That file type is not allowed for documents.");
        }

    So basically, it's looking at the type and making sure it is of certain kinds that I specify. It's working great for most files, but one .doc file I uploaded was the type "application/octet-stream." What is that? I know it should be "application/msword," but why is it different?

  • #2
    Regular Coder
    Join Date
    Oct 2005
    Location
    Right Here
    Posts
    654
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I think its a fall back? If it can't determine what it is, it falls back to that identifier?

  • #3
    Regular Coder
    Join Date
    Oct 2005
    Location
    Right Here
    Posts
    654
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I do know its for forcing downloads for any file. Not sure on the upload part though? Can anyone else chime in on this?

  • #4
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    iLLin is correct about it being a fallback. It is kind of like saying, "this is a file consisting of bytes" (octet - 8 - 8 bits - byte).

    Not sure why one specific word document would result in that MIME type. Look at the header() documentation on php.net. There's a lot of discussion on MIME types there.

  • #5
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    I do know its for forcing downloads for any file.
    This is what the MIME type 'application/force-download' is for.

  • #6
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts
    Is there a better way to do mime type validation, or at least make sure that only certain files get through (.doc, .rtf, etc. for document category - .mpg, .mov, etc. for video category - etc.)?

  • #7
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    There isn't much you can do.

    I just check the extension. Most uploads I have are for internal (intranet) purposes, so the security risk is not as big.

    You get a collection of bytes. The only information you have about it is the file name. The contents cannot be trusted.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •