PHP file upload: mime or extension based verification?

Question

When I try to process file upload, should I run verification based on file MIME type or file-extension?

What are Pros & cons of these 2 ways of file validating?

Answer 1

Mime-type is not reliable source, because it sends from browser (also anyone can create HTTP request manually). PHP do not checked equivalence of extension and mine-type (http://ru.php.net/manual/en/features.file-upload.post-method.php). You can accent HTTP request with filename "image.php" and mime-type "image/gif".

Use always verification by extension if you want save uploaded file to HDD and give public access to this file later.