Home > Article > Backend Development > Implementation code for intelligent file type detection using PHP_PHP tutorial
Implementation code for intelligent file type detection using PHP_PHP tutorial
- WBOYOriginal
- 2016-07-21 15:26:01708browse
Use file suffix and MIME type detection
Usually when we want to strictly limit the file type, we can simply use $_FILES['myFile']['type'] to get the MIME type of the file and then detect it. Whether it is a legal type.
Alternatively we can take the last few characters of the file name to get the file suffix. Unfortunately, these methods are not sufficient and the extension of the file can be easily changed to bypass this restriction. Furthermore, MIME type information is sent by the browser, and most, if not all, browsers give MIME type information based on the file extension! Therefore, MIME types, like extensions, can be easily spoofed.
Using the "Magic Bytes"
The best way to determine the file type is by examining the first few bytes of the file - known as the "Magic Bytes". Magic bytes are essentially signatures of varying lengths between 2 and 40 bytes in the file header, or at the end of the file. There are hundreds of file types, and quite a few of them have several file signatures associated with them. Here you can see a list of file signatures.
The lazy way is to use the fileinfo extension, which is enabled by default in PHP 5.3.0 (according to the official MANUAL). If it is not enabled, you can enable it yourself
For example, under Windows:
extension=php_fileinfo.dll
under linux:
extension=fileinfo.so
#If it doesn’t work properly, add the following
#mime_magic .magicfile=/usr/share/file/magic
If it does not work properly under windows:
Please refer to: http://www.php.net/manual/en/ fileinfo.installation.php#82570
Download file-5.03-bin.zip and unzip it. There are two files magic.mgc and magic in the share directory.
Then add a system environment variable named MAGIC pointing to the magic file. Such as D:softwarePHPextrasmiscmagic
$buffer = file_get_contents ($file);
$finfo = new finfo(FILEINFO_MIME_TYPE);
return $finfo->buffer($buffer);
}
$mime_type = getFileMimeType($file);
switch($mime_type) {
case "image/jpeg":
// your actions go here...
}
Handle image upload
If you plan to only allow image uploads, then you can use the built-in getimagesize() function to ensure that the user is actually uploading a valid image file. If the file is not a valid image file, this function returns false.
$tempFile = $ _FILES['myFile']['tmp_name']; // path of the temp file created by PHP during upload
$imginfo_array = getimagesize($tempFile); // returns a false if not a valid image file
if ($imginfo_array !== false) {
$mime_type = $imginfo_array['mime'];
switch($mime_type) {
case "image/jpeg":
// your actions go here...
}
}
else {
echo "This is not a valid image file";
}
Manually reading and interpreting the "magic bytes"
If for some reason you are unable to install the FileInfo extension, you can still determine this manually, by reading the first few words of the file sections and compares them to the bytes of the known magic associated with a specific file type. This process must have involved a little trial and error, as there is also the possibility that there are a few illegal magic bytes associated with a legitimate file format.
However, this is not impossible. A few years ago, I was asked to make a script file that only allowed real mp3 files to be uploaded. And, since we couldn't use Fileinfo at the time, we had to rely on this manual detection method.
It took me a while to parse the illegal magic bytes of some mp3 files, but soon, I got a stable upload script.
Before I end this article, I want to give you a warning: make sure you never call an include() to include an uploaded file, because the PHP code may be cleverly hidden inside the image, and the image can also be successful Through your file detection, when such a script is run, it can only cause damage to the system.
Translated from: http://designshack.co.uk/articles/php-articles/smart-file-type-detection-using-php/