I use var_dump(@$_FILES['file']['type'])to check the downloaded file type
First I uploaded exe file, called " uninstall.exe", and he returned
"string 'application/octet-stream' (length=24)"
Then I renamed this file to uninstall.png, it returned
string 'image/png' (length=9)
My conclusion: $ _ FILES ['file'] ['type'] checks only the file extension, not the original file type.
The following code from w3cschool :
$allowedExts = array("gif", "jpeg", "jpg", "png");
$extension = end(explode(".", $_FILES["file"]["name"]));
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))
I think that $_FILES["file"]["type"]in the above codes is not necessary, we can just check the file extension with explode()andin_array
I'm just a beginner php, can someone confirm my idea? Thank!
source
share