Uploads and mime type

Hi folks

I'm a bit confused with an upload script that I've written. I want to be
able to check the file type of an upload by checking the mime type but I'm
not getting the results that I thought I should. According to what I've
read .zip files should return something like 'application/zip' or
'application/x-zip-compressed', RAR should return
'application/x-rar-compressed' but both return 'application/octet-stream'.
I'm getting the results that I expected when checking .jpg, .png of .gif
files.

I'm checking the mime type using $_FILES['userfile']['type']

Anyone throw some light on this for me?

Re: Uploads and mime type

On Thu, 15 Nov 2007 22:59:03 +0100, Mad Hatter wrote:

> Hi folks
>
> I'm a bit confused with an upload script that I've written. I want to be
> able to check the file type of an upload by checking the mime type but
> I'm
> not getting the results that I thought I should. According to what I've
> read .zip files should return something like 'application/zip' or
> 'application/x-zip-compressed', RAR should return
> 'application/x-rar-compressed' but both return
> 'application/octet-stream'.
> I'm getting the results that I expected when checking .jpg, .png of .gif
> files.
>
> I'm checking the mime type using $_FILES['userfile']['type']

The mime-type is user-submitted, totally unreliable and shouldn't be
trusted for any further processing. application/octet-stream is usually
the fallback for a binary file for which the the UA either doesn't know or
doesn't care about the mime-type.

If the mime-type is really important to you, try the fileinfo function
(http://nl2.php.net/manual/en/ref.fileinfo.php).

What's the reason the mime-type is of importance to you?
--
Rik Wasmus

Re: Uploads and mime type

On Fri, 16 Nov 2007 00:17:42 +0100, Rik Wasmus wrote:
Hi
>
> What's the reason the mime-type is of importance to you?
It's not. It's just that all the upload scripts that I've seen seem to use
it to work out the file type. I think I'll stick to my original idea of
checking the file extension of the uploaded file.

Thanks for the reply :)

Re: Uploads and mime type

..oO(Mad Hatter)

>On Fri, 16 Nov 2007 00:17:42 +0100, Rik Wasmus wrote:
>>
>> What's the reason the mime-type is of importance to you?
>
>It's not. It's just that all the upload scripts that I've seen seem to use
>it to work out the file type. I think I'll stick to my original idea of
>checking the file extension of the uploaded file.

The extension is as unreliable as the submitted content type. Don't use
it for security purposes.

Micha

Re: Uploads and mime type

> The extension is as unreliable as the submitted content type. Don't use
> it for security purposes.

What's the safest way of checking the file type? The script isn't visible
to site users but I would rather be safe just in case someone finds it.

Re: Uploads and mime type

On 16 Nov, 08:36, Mad Hatter wrote:
> > The extension is as unreliable as the submitted content type. Don't use
> > it for security purposes.
>
> What's the safest way of checking the file type? The script isn't visible
> to site users but I would rather be safe just in case someone finds it.

To check a file's mime type

http://uk.php.net/manual/en/ref.fileinfo.php

or http://uk.php.net/manual/en/function.mime-content-type.php if you
have PECL installed.

Personally, I just stick to using file extensions. Most supplied MIME
types are application/octet-stream anyway.

A quick and dirty way to get the extension:

$extension = strrev(substr(strrev($_FILES['userfile']['name']), 0,
strpos(strrev($_FILES['userfile']['name']), '.')));

(It reverses a string so that it gets the first from the end then
reverses the result)

Re: Uploads and mime type

Hi
>
> A quick and dirty way to get the extension:
>
> $extension = strrev(substr(strrev($_FILES['userfile']['name']), 0,
> strpos(strrev($_FILES['userfile']['name']), '.')));
>
> (It reverses a string so that it gets the first from the end then
> reverses the result)

That's a much better method than the one I was going to use :-
$upname=($_FILES["userfile"]["name"]);
$extension = substr($upname, strrpos($upname, '.') + 1);

Thanks for that :)