php file upload type

Question

I'm trying to upload a zip file and a csv file from HTML form.

On PHP, When I printed $_FILES (Actually $request->getFiles() in symfony), I got following.

Array
(
    [zipfile] => Array
        (
            [name] => tempfiles.zip
            [type] => application/octet-stream
            [tmp_name] => C:\wamp\tmp\php5D42.tmp
            [error] => 0
            [size] => 850953
        )
    [csvfile] => Array
        (
            [name] => test.csv
            [type] => application/vnd.ms-excel
            [tmp_name] => C:\wamp\tmp\php5D52.tmp
            [error] => 0
            [size] => 312
        )
)

I'm wondering with the type and tmp_name. I need to take few decisions based on type. Is it safe to take decisions on existing type? Will I get same result for similar files on Linux server?

Again tmp_name have .tmp extension. Is it consistent on both windows/linux? If not, is there any way that the code I write on windows (decision using type) will work on linux without any issue?

Answer 1

Using this type can be dangerous Because user can change the type of the files and can upload a php script.

You should validate the type first just like get_image_size() to validate a image file.I have no idea about .zip file

Answer 2

It is not safe to trust the type form $_FILES, you need to validate the file type in server side.

For .tmp extension, it is ok both on windows or linux.