问题
I have an input where you can upload images, the only allowed images types are:
png, jpg, jpeg
before the image is inserted to the database it checks if the pictures are png,jpg,jpeg. But now for security reasons I need to check the mime type before or after the first check.
How do I do this? This is my code:
<?php
$iAmountOfFiles = count($_FILES['Filename']['name']);
while($iAmountOfFiles >= 1) {
$iAmountOfFiles--;
$aFileProperties = pathinfo($_FILES['Filename']['name'][$iAmountOfFiles]);
if(!in_array(strtolower($aFileProperties["extension"]), $aExtensionWhitelist)) {
echo "Bestands type niet toegestaan";
// exit;
continue;
}
$sTarget = ROOT.BACKEND."/pages/bezienswaardigheden-toevoegen/uploads/";
$sUniqueFileNameHash = hash('adler32', time().rand());
$Filename = basename($sUniqueFileNameHash."-".$_FILES['Filename']['name'][$iAmountOfFiles]);
$Filename = basename($aFileProperties["filename"]."-".$sUniqueFileNameHash.".".strtolower($aFileProperties["extension"]));
// Writes the Filename to the server
if(move_uploaded_file($_FILES['Filename']['tmp_name'][$iAmountOfFiles], $sTarget.$Filename)) {
// here needs to come the mime check
回答1:
To get MIME type, developers generally depend on $_FILE['input_name']['type']. But this is absolutely vulnerable. Because a malicious user can set one of image/jpg, image/png, image/gif etc. MIME types to a file that is not actually an image. In that case, the malicious user would get your script pass to upload an other file instead of an image.
So I recommend that you do not depend on the following snippet to get MIME of a file
$_FILE['input_name']['type'];
Rather I would recommend use this mime_content_type() function to get MIME type but with the help of other PHP's built-in function. And that is is_uploaded_file() function. What it does is:
This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd.
This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system.
So to make this function work properly it needs a specific argument. Check out the code below:
if (is_uploaded_file($_FILE['input_name']['tmp_name'])) {
// do other stuff
}
This function returns true on success, false otherwise. So if it returns true then you're ok with the file. Thanks to this function. Now mime_content_type() function comes into play. How? Look at t
if (is_uploaded_file($_FILE['input_name']['tmp_name'])) {
// Notice how to grab MIME type
$get_mime_type = mime_content_type($_FILE['input_name']['tmp_name']);
// Now you move/upload your file
move_uploaded_file ($_FILE['input_name']['tmp_name'] , $destination);
}
BTW, for novice, do not try remote url with this function to get MIME type. The code below will not work:
mime_content_type('http://www.example.com/uploads/example.png');
But the one below would work:
mime_content_type('/source/to/your/file/etc.png');
Hope you would enjoy uploading file from now on.
来源:https://stackoverflow.com/questions/59986082/php-how-to-properly-check-mime-type-of-a-file