2 
$filename=$_FILES['file']['name'];
$type=$_FILES['file']['type'];
$extension=strtolower(substr($filename, strpos($filename, '.')+1));
$size=$_FILES['file']['size'];


if(($extension=='jpg' || $extension=='jpeg') && ($type!='image/jpg' || $type!='image/jpeg')){...

I have a input file, can let user upload jpg/jpeg image only, I have check type, extension, size.

  1. However I'm not sure how to check if user change extension.(ex. abc.php -> abc.jpg)

  2. any thing else I need to check before I save user's image into my server?

Improve this question
3
  • possible duplicate of Security threats with uploads Commented Aug 7, 2013 at 15:05
  • @deceze this one is more image specific. there are many php functions that are unique to this question, ie exif_imagetype() and imagejpeg() which should be uniquely beneficial to this situation. Commented Aug 7, 2013 at 15:18
  • thx for help, I think i will use all function to check, in case anything happen, looks like there are more articles need to read... Commented Aug 7, 2013 at 15:24

3 Answers 3

Reset to default
3

You can check the image with exif_imagetype()

http://www.php.net/manual/en/function.exif-imagetype.php

exif_imagetype() reads the first bytes of an image and checks its signature.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

I would suggest using finfo:

<?php
    $finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
    foreach (glob("*") as $filename) {
        echo finfo_file($finfo, $filename) . "\n";
    }
    finfo_close($finfo);

    /* outputs:
    text/html
    image/gif
    application/vnd.ms-excel
    */
?>

example taken from php document site. see more info on the php document page http://www.php.net/manual/en/function.finfo-file.php

Improve this answer

2 Comments

Does this read the MIME type from the file itself somehow, or from the user's Content-Type header?
@Katana314 Yes from the byte sequences at specific positions within the file please check php.net/manual/en/intro.fileinfo.php :D and its requirements: php.net/manual/en/book.fileinfo.php
0

@Fabian's answer looks good for checking the type of file. While I would suggest a different approach to getting the extension of the file.

Consider a file named stack.overflow.jpg.

$filename = 'stack.overflow.jpg';

// With your code $extension = 'overflow.jpg'
$extension=strtolower( substr( $filename, strpos( $filename, '.' ) +1 ) );

// With pathinfo() $extension = 'jpg'
$extension = pathinfo( $filename, PATHINFO_EXTENSION );

Consider using pathinfo() to get the file extension: http://www.php.net/manual/en/function.pathinfo.php

Improve this answer

3 Comments

file extention means nothing though. I could name my malicious script keyloggervirus.exe.jpg and it would still execute. You need to use PHP to actually verify the image content, like the above answers do.
is any way to reformate file to jpg? so even its malicious script, it will become jpg
php has imagejpeg()

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.