How to check if an uploaded file is an image without mime type?
You could use getimagesize()
which returns zeros for size on non-images.
PHP: How to properly check MIME type of a file?
To get MIME type, developers generally depend on $_FILES['input_name']['type']
. But this is absolutely vulnerable. Because a malicious user can set one of image/jpg
, image/png
, image/gif
etc. MIME types to a file that is not actually an image. In that case, the malicious user may get your script pass to upload other files instead of an image and execute your script for their purposes which is dangerous.
So I recommend that you not depend on the following snippet to get MIME of a file
$_FILES['input_name']['type'];
Rather I would recommend that you use this mime_content_type()
function to get MIME type but with the help of other PHP's built-in functions. And that is is_uploaded_file()
function. What it does is:
This is useful to help ensure that a malicious user hasn't tried to
trick the script into working on files upon which it should not be
working--for instance, /etc/passwd.This sort of check is especially important if there is any chance that
anything done with uploaded files could reveal their contents to the
user, or even to other users on the same system.
So to make this function work properly it needs a specific argument. Check out the code below:
if (is_uploaded_file($_FILES['input_name']['tmp_name'])) {
// Do other stuff.
}
This function returns true
on success, false
otherwise. So if it returns true
then you're ok with the file. Thanks to this function. Now mime_content_type()
function comes into play. How? Look at the code below:
if (is_uploaded_file($_FILES['input_name']['tmp_name'])) {
// Notice how to grab MIME type.
$mime_type = mime_content_type($_FILES['input_name']['tmp_name']);
// If you want to allow certain files
$allowed_file_types = ['image/png', 'image/jpeg', 'application/pdf'];
if (! in_array($mime_type, $allowed_file_types)) {
// File type is NOT allowed.
}
// Set up destination of the file
$destination = '/path/to/move/your/file/';
// Now you move/upload your file
if (move_uploaded_file ($_FILES['input_name']['tmp_name'] , $destination)) {
// File moved to the destination
}
}
BTW, for novice, do not try remote URL with this function to get MIME type. The code below will not work:
mime_content_type('http://www.example.com/uploads/example.png');
But the one below would work:
mime_content_type('/source/to/your/file/etc.png');
Hope you would enjoy uploading files from now on.
jQuery how to check if uploaded file is an image without checking extensions?
Try something like this:
JavaScript
const file = this.files[0];
const fileType = file['type'];
const validImageTypes = ['image/gif', 'image/jpeg', 'image/png'];
if (!validImageTypes.includes(fileType)) {
// invalid file type code goes here.
}
jQuery
var file = this.files[0];
var fileType = file["type"];
var validImageTypes = ["image/gif", "image/jpeg", "image/png"];
if ($.inArray(fileType, validImageTypes) < 0) {
// invalid file type code goes here.
}
Related Topics
Autoloading Classes in PHPunit Using Composer and Autoload.Php
Calling a Particular PHP Function on Form Submit
Disabling Strict Standards in PHP 5.4
Laravel Eloquent: How to Order Results of Related Models
Detecting Image Type from Base64 String in PHP
Encrypt Files Using Pgp in PHP
How to Store an Array in a File to Access as an Array Later with PHP
How to Use Preg_Replace_Callback
Why Does Crypt/Blowfish Generate the Same Hash with Two Different Salts
Display Message Before Redirect to Other Page
How to Handle $_Post Data in MVC
Codeigniter - Why Use Xss_Clean
Which Is Faster and Better, Switch Case or If Else If
Uploading a File in Chunks Using HTML5