Can I trust the file type from $_FILES?

Question

Can I trust the file type from $_FILES when uploading images? Or do I have to check again with exif_imagetype() ?

Answer 1

No you cannot trust the $_FILES['userfile']['type'] variable. The value present in this variable could be forged. You can use finfo_file to detect file type more reliably:

$finfo = finfo_open(FILEINFO_MIME_TYPE); // we need mime type
echo finfo_file($finfo, "/path/to/uploaded/file"); // displays something like image/gif
finfo_close($finfo);

These functions require PHP >= 5.3.0.

Answer 2

No, you cannot trust it because this information is provided by the client browser.

$_FILES['userfile']['type'] The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.

Answer 3

From the documentation:

The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.

Answer 4

Never trust anything that comes from the outside, especially file uploads!

Check the size, location, mime/type, extenstion and anything else you can check!

Answer 5

I always use the next function to check on valid images :

function Check_Image($Filename) {
    if ($Check_Image = @getimagesize($Filename)) {
        return TRUE;
    }
    return FALSE;
}