How to validate file uploads by mime type

JohnDubya · 04-04-2007, 07:39 PM

I've built my first file upload script, and I'm needing to be able to validate the files by their mime type, but I'm running into some problems that I can't find answers to via Google or here. Here's an example of the code I'm using so far:

PHP Code:


			
//Check extensions for documents

if ($resource_type == 'document') {

    $allowed = array('application/pdf' => 'pdf',

                'text/rtf' => 'rtf',

                'application/rtf' => 'rtf',

                'application/msword' => 'doc',

                'application/octet-stream' => 'doc',

                'application/vnd.ms-excel' => 'xls',

                'application/vnd.ms-publisher' => 'pub',

                'application/ppt' => 'ppt',

                'application/vnd.ms-powerpoint' => 'ppt',

                'text/txt' => 'txt',

                'text/plain asc ' => 'txt');



//Check that the uploaded type is allowed.

    if (!array_key_exists($_FILES['resource']['type'], $allowed)) {

        $Error_Stat = 1;

        $Message = Error("That file type is not allowed for documents.");

    }

}

So basically, it's looking at the type and making sure it is of certain kinds that I specify. It's working great for most files, but one .doc file I uploaded was the type "application/octet-stream." What is that? I know it should be "application/msword," but why is it different?

iLLin · 04-04-2007, 07:57 PM

I think its a fall back? If it can't determine what it is, it falls back to that identifier?

iLLin · 04-04-2007, 07:59 PM

I do know its for forcing downloads for any file. Not sure on the upload part though? Can anyone else chime in on this?

aedrin · 04-04-2007, 08:03 PM

iLLin is correct about it being a fallback. It is kind of like saying, "this is a file consisting of bytes" (octet - 8 - 8 bits - byte).

Not sure why one specific word document would result in that MIME type. Look at the header() documentation on php.net. There's a lot of discussion on MIME types there.

aedrin · 04-04-2007, 08:03 PM

Quote:

I do know its for forcing downloads for any file.

This is what the MIME type 'application/force-download' is for.

JohnDubya · 04-04-2007, 08:14 PM

Is there a better way to do mime type validation, or at least make sure that only certain files get through (.doc, .rtf, etc. for document category - .mpg, .mov, etc. for video category - etc.)?

aedrin · 04-04-2007, 09:34 PM

There isn't much you can do.

I just check the extension. Most uploads I have are for internal (intranet) purposes, so the security risk is not as big.

You get a collection of bytes. The only information you have about it is the file name. The contents cannot be trusted.