Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7

Thread: content type

  1. #1
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts

    content type

    Hi,

    I am looking for a bullet proof method for verifying file types for uploaded files.
    If there was someway i could check the content type and encoding of the uploaded file. I am trying to avoid trusting the data form the $_FILE associative array because I presume this comes directly from the posted data, which may have been spoofed somehow. If there is something similar to the linux command File that checks for magic byte sequences against the magic database.

    Is there a similar approach in PHP? If so would this be bullet proof. I am trying to establish whether an uploaded file is a an image.

    Any advice on these issues would be greatly appreciated.
    You can not say you know how to do something, until you can teach it to someone else.

  • #2
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,043
    Thanks
    19
    Thanked 42 Times in 42 Posts

  • #3
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    i found i can run system commands through the system() call. and produced this script to return the output from the system command 'file'.

    PHP Code:


    if(!empty($_FILES["uploadedfile"]))
      {
     
    // make path for upload
        
    $uploaddir $_SERVER['DOCUMENT_ROOT']."/static_files/training/photos/";
        
    $uploaddir.=basename$_FILES['uploadedfile']['name']);
       
     
    //verify file using linux FILE command 
     
    $last_line system('file '.$_FILES['uploadedfile']['tmp_name'], $retval);
     echo 
    $last_line.'<br />'.
        
    $retval.'<br />';
    }else
    echo 
    $_FILES['uploadedfile']['error'].'<br />'
    Then i tested the three different file types i will except these are: jpg, png, gif

    here was the output

    png: tmp/phpNUT6aD: PNG image data, 197 x 106, 8-bit/color RGB, non-interlaced /tmp/phpNUT6aD: PNG image data, 197 x 106, 8-bit/color RGB, non-interlaced

    jpg: /tmp/phpYOyoBK: JPEG image data, JFIF standard 1.01 /tmp/phpYOyoBK: JPEG image data, JFIF standard 1.01

    gif:/tmp/phpKJHs58: GIF image data, version 89a, 114 x 100 /tmp/phpKJHs58: GIF image data, version 89a, 114 x 100
    How can i use these outputs to test. is there a regex expert in here
    Last edited by timgolding; 07-20-2007 at 01:24 PM.
    You can not say you know how to do something, until you can teach it to someone else.

  • #4
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    would this be exceptable?

    PHP Code:

    $accepted_types
    =array('JPEG''GIF''PNG'); 
     
    if(!empty(
    $_FILES["uploadedfile"]))
      {
     
    // make path for upload
        
    $uploaddir $_SERVER['DOCUMENT_ROOT']."/static_files/training/photos/";
        
    $uploaddir.=basename$_FILES['uploadedfile']['name']);
       
     
    //verify file using linux FILE command 
     
    $last_line system('file '.$_FILES['uploadedfile']['tmp_name'], $retval);
     echo 
    $last_line.'<br />'.
        
    $retval.'<br />';

     
    $splitvals=explode('image data' ,  $last_line);
     if (
    in_array($splitvals[0], $accepted_types))
     {
        echo 
    $splitvals[0].' was accepted ';
     }
    }
    else
    echo 
    $_FILES['uploadedfile']['error'].'<br />'
    Last edited by timgolding; 07-20-2007 at 01:52 PM.
    You can not say you know how to do something, until you can teach it to someone else.

  • #5
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    here is my solution

    PHP Code:
    <?PHP

    $accepted_types
    =array("JPEG" "GIF""PNG"); 

        
    // The temporary filename of the file in which the uploaded file was stored on the server. 
    if(!empty($_FILES["uploadedfile"]))
      {
        
    $uploaddir $_SERVER['DOCUMENT_ROOT']."/static_files/training/photos/";
        
    $uploaddir.=basename$_FILES['uploadedfile']['name']);
       
     
    //verfiy file using linux FILE command 
     
    $last_line system('file '.escapeshellarg($_FILES['uploadedfile']['tmp_name']), $retval);

     
    //get the file extension returned through magic database
     
    $splitvals=explode(' image data' ,  $last_line);
     
    $vals=explode(':'$splitvals[0]);
     
    $vals[1]=str_replace(' ',''$vals[1]); //$vals[1] = the extension 

     
    if (in_array($vals[1], $accepted_types))
     {
        echo 
    $vals[1].' was accepted <br />';
            if(!
    file_exists($uploaddir)){
                
    //Copy the file to some permanent location
                
    if(move_uploaded_file($_FILES["uploadedfile"]["tmp_name"], $uploaddir))
                 {
                  echo 
    $uploaddir." was uploaded! <br />";
                 }
                else
                 {
                  echo 
    "There was a problem when uploding the new file, please contact admin about this.";
                 }
            }
            else echo 
    'This file already exists in DB please rename file before uploading';
    }
    }else echo 
    $_FILES['uploadedfile']['error'].'<br />';
    ?>
    Last edited by timgolding; 07-20-2007 at 03:01 PM.
    You can not say you know how to do something, until you can teach it to someone else.

  • #6
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    I believe getimagesize() is the easiest way to determine if a file is an image or not-- it will even tell you what kind of image it is (regardless of the file extension).
    PHP Code:
    if (!getimagesize($fileName)) {
          echo 
    "file is not an image.";


  • #7
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    oh lol that will save a lot of lines of code
    You can not say you know how to do something, until you can teach it to someone else.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •