View Full Version : How to validate file uploads by mime type

04-04-2007, 08:39 PM
I've built my first file upload script, and I'm needing to be able to validate the files by their mime type, but I'm running into some problems that I can't find answers to via Google or here. Here's an example of the code I'm using so far:

//Check extensions for documents
if ($resource_type == 'document') {
$allowed = array('application/pdf' => 'pdf',
'text/rtf' => 'rtf',
'application/rtf' => 'rtf',
'application/msword' => 'doc',
'application/octet-stream' => 'doc',
'application/vnd.ms-excel' => 'xls',
'application/vnd.ms-publisher' => 'pub',
'application/ppt' => 'ppt',
'application/vnd.ms-powerpoint' => 'ppt',
'text/txt' => 'txt',
'text/plain asc ' => 'txt');

//Check that the uploaded type is allowed.
if (!array_key_exists($_FILES['resource']['type'], $allowed)) {
$Error_Stat = 1;
$Message = Error("That file type is not allowed for documents.");

So basically, it's looking at the type and making sure it is of certain kinds that I specify. It's working great for most files, but one .doc file I uploaded was the type "application/octet-stream." What is that? I know it should be "application/msword," but why is it different?

04-04-2007, 08:57 PM
I think its a fall back? If it can't determine what it is, it falls back to that identifier?

04-04-2007, 08:59 PM
I do know its for forcing downloads for any file. Not sure on the upload part though? Can anyone else chime in on this?

04-04-2007, 09:03 PM
iLLin is correct about it being a fallback. It is kind of like saying, "this is a file consisting of bytes" (octet - 8 - 8 bits - byte).

Not sure why one specific word document would result in that MIME type. Look at the header() documentation on php.net. There's a lot of discussion on MIME types there.

04-04-2007, 09:03 PM
I do know its for forcing downloads for any file.

This is what the MIME type 'application/force-download' is for. :)

04-04-2007, 09:14 PM
Is there a better way to do mime type validation, or at least make sure that only certain files get through (.doc, .rtf, etc. for document category - .mpg, .mov, etc. for video category - etc.)?

04-04-2007, 10:34 PM
There isn't much you can do.

I just check the extension. Most uploads I have are for internal (intranet) purposes, so the security risk is not as big.

You get a collection of bytes. The only information you have about it is the file name. The contents cannot be trusted.