Proper Way To Validate MIME Type Of Files While Handling File Uploads In PHP


12th May 2020 2 mins read
Share On        


In this article, I will show you a cool tip on how to properly validate the file MIME types even if they change the extension of the file.


I will cover the following in this article

  1. Basic HTML Form
  2. General Old Way Validation (Probably Wrong Way)
  3. The Right Way To Validate MIME Type ( finfo )
  4. Different MIME Extensions Link

Prerequisites


Basic knowledge on PHP. Even if you don't know how to upload the files and handle it then I have written an article on it:


How To Uploads Files In PHP?

How To Upload Image In PHP?


1) Basic HTML Form


This is very basic HTML form make sure you have enctype="multipart/form-data"


<form action="store_product.php" method="post" enctype="multipart/form-data">
    <div>
        <input type="file" name="product_invoice" id="product_invoice">
    </div> <br>
    <div>
        <input type="submit" value="Create Product">
    </div>
</form>

2) General Old Way Validation (Probably Wrong Way)


From the above form when you select the image and upload it will go to store_product.php PHP file which will handle the file upload with validation.


Following is the snippet code which demonstrates the file validation


/** Store the file details in variable */
$product_invoice    = $_FILES['product_invoice'];

/** Uploaded file name */
$file_name          = $product_invoice['name'];
$file_tmp           = $product_invoice['tmp_name'];

/** Using pathinfo() to get the file extension of file */
$pathinfo           = pathinfo($file_name);
$extension          = $pathinfo['extension'];

/** Allowed extensions */
$file_extensions    = ['pdf', 'xls', 'jpeg', 'jpg', 'png', 'svg', 'webp'];

/** Check File extensions */
if(!in_array($extensio
n, $file_extensions)){
    $errors[] = 'File allowed extensions '. implode(', ', $file_extensions);
}


The above is wrong because we are validating based on file extension. Because someone may upload video & change just the extension to jpeg or pdf.

3) The Right Way To Validate MIME Type ( finfo )


To properly validate the file MIME you need to use finfo which internally uses finfo_open


Basically you use it the following way


/** Using finfo to just get the MIME type */
$finfo      = new finfo(FILEINFO_MIME_TYPE);

/** You will get extension along with the mime types */
$extension  = $finfo->file($file_tmp);


Full detailed on the same as follows


/** Store the file details in variable */
$product_invoice    = $_FILES['product_invoice'];

/** Uploaded file name */
$file_name          = $product_invoice['name'];
$file_tmp           = $product_invoice['tmp_name'];

/** Allowed MIME extensions */
$file_extensions    = ['image/jpeg', 'image/pjpeg', 'application/pdf'];

/** Using finfo to just get the MIME type */
$finfo      = new finfo(FILEINFO_MIME_TYPE);

/** You will get extension along with the mime types */
$extension  = $finfo->file($file_tmp);

/** Check File extensions */
if(!in_array($extension, $file_extensions)){
    $errors[] = 'File allowed extensions '. implode(', ', $file_extensions);
}

4) Diff MIME Extensions Link


I don't want to reinvent the wheel. So here is the link for the CODEIGNITER FRAMEWORK MIME TYPES


Conclusion


Hope you liked the article. If yes then please do share with your friends.




AUTHOR

Channaveer Hakari

I am a full-stack developer working at WifiDabba India Pvt Ltd. I started this blog so that I can share my knowledge and enhance my skills with constant learning.

Never stop learning. If you stop learning, you stop growing