PHP file upload: mime or extension based verification?

Question

When I try to process file upload, should I run verification based on file MIME type or file-extension?

What are Pros & cons of these 2 ways of file validating?

Answer 1

None is appropriate for accurately finding out the type of a file. The reasons are - * Extension - a user can easily change the extension by just renaming the file. * Mime type - To change the mime type, some add-on/extension can do that as it is coming from client side (so can be changed before sending to server), not generated by server.

Now for verification, the answer of the question depends on why you want to verify the file type.

Most of the time we need to make sure the uploaded file should not get executed. For this reason you need to be sure about how your server handles/executes files. - If your server checks extensions for verification, you also need to verify you are not storing a file with extension which can get executed. - If your server use mime-types, beware of the fact that the mime-type sent by the client and the mime-type used by the server for the same file can be different. So use the same logic your server use to find out the mime-type.