Comments on: How to check a file type efficiently in PHP? http://www.kadimi.com/en/file-type-265 [Web developper, Linux addict, Technical translator...] Sat, 07 Jan 2012 07:53:27 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: lifeofguenter http://www.kadimi.com/en/file-type-265#comment-144 lifeofguenter Sun, 02 Jan 2011 18:20:42 +0000 http://www.kadimi.com/en/?p=265#comment-144 using exec and not even escaping/validating/sanitizing inputs is just as bad - if not even worse, as users have now direct shell access. I agree that using fileinfo extension (or any other pseudo type check like file/identify/whatever) should _only_ be used as pre-check. If you decide to host the uploaded file, always do an analog copy of the pixels. With this you are sure only to get the picture information and not any other files attached. using exec and not even escaping/validating/sanitizing inputs is just as bad – if not even worse, as users have now direct shell access.

I agree that using fileinfo extension (or any other pseudo type check like file/identify/whatever) should _only_ be used as pre-check. If you decide to host the uploaded file, always do an analog copy of the pixels. With this you are sure only to get the picture information and not any other files attached.

]]> By: Nabil http://www.kadimi.com/en/file-type-265#comment-32 Nabil Sun, 09 Aug 2009 18:27:16 +0000 http://www.kadimi.com/en/?p=265#comment-32 Yes, using server software (specially antiviruses) will bring higher levels of security, but this is only available on dedicated servers. Yes, using server software (specially antiviruses) will bring higher levels of security, but this is only available on dedicated servers.

]]> By: Amine http://www.kadimi.com/en/file-type-265#comment-31 Amine Sun, 09 Aug 2009 10:07:45 +0000 http://www.kadimi.com/en/?p=265#comment-31 I prefer the 'file' unix command because it relies on the header or signature of the file. I think a good soluion for security would be to nest several tests both client side and server side, beginning from the simple check of the file extension, and going through some test like the one you exposed for checking the actual type of the file, and ending with a server side antivirus testing if the type of the file has been accepted. I'm not a good php programmer but I think combining php functions and some other server scripting can lead to an acceptable solution. Thank you for the answer! I prefer the ‘file’ unix command because it relies on the header or signature of the file.

I think a good soluion for security would be to nest several tests both client side and server side, beginning from the simple check of the file extension, and going through some test like the one you exposed for checking the actual type of the file, and ending with a server side antivirus testing if the type of the file has been accepted. I’m not a good php programmer but I think combining php functions and some other server scripting can lead to an acceptable solution.

Thank you for the answer!

]]>