Can I trust the file type from $_FILES when uploading images? Or do I have to check again with exif_imagetype() ?
From the documentation:
The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.
No you cannot trust the $_FILES['userfile']['type'] variable. The value present in this variable could be forged. You can use finfo_file to detect file type more reliably:
$finfo = finfo_open(FILEINFO_MIME_TYPE); // we need mime type
echo finfo_file($finfo, "/path/to/uploaded/file"); // displays something like image/gif
finfo_close($finfo);
These functions require PHP >= 5.3.0.
Never trust anything that comes from the outside, especially file uploads!
Check the size, location, mime/type, extenstion and anything else you can check!
I always use the next function to check on valid images :
function Check_Image($Filename) {
if ($Check_Image = @getimagesize($Filename)) {
return TRUE;
}
return FALSE;
}
No, you cannot trust it because this information is provided by the client browser.
$_FILES['userfile']['type']The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.
来源:https://stackoverflow.com/questions/7308723/can-i-trust-the-file-type-from-files