Potential browser quirks at file upload Options

[Christian J]

When uploading a file through a form the serverside script (PHP) can check the alleged mime type of the file (I'm aware this can be faked). Apparently it seems MSIE doesn't agree with other browsers about the correct mime type for JPEG and PNG images, and sends image/pjpeg and image/x-png instead of image/jpeg and image/png. Are there more browser quirks like this to watch out for? I'm mainly interested in GIF, JPEG and PNG files.

[Brian Chandler]

The first google hit seems to cover it:
http://stackoverflow.com/questions/115705/...just-image-jpeg

But what are you going to do with these uploaded files? Are they all supposed to be images? If you want to check, you could try opening them as the alleged format using the GD library... probably it's a good idea to have list of the mime types and file extensions you accept, and you can just put the M$ names in with the standard ones.

[Christian J]

probably it's a good idea to have list of the mime types and file extensions you accept, and you can just put the M$ names in with the standard ones.

That's what I do, but I don't know if MS is the only browser vendor that submits proprietary mime types.

But with exif_imagetype() it seems you can check the image file directly, now I just need to find out how to enable it on my testing server. getimagesize() seems to work already.

[Brian Chandler]

probably it's a good idea to have list of the mime types and file extensions you accept, and you can just put the M$ names in with the standard ones.

That's what I do, but I don't know if MS is the only browser vendor that submits proprietary mime types.

There are three types of behaviour:

(a) Standard - just write to the standard, and this is covered
(b) Nonstandard by ordinary entities - well, you can probably ignore these, because ordinary browsers that fail to meet standards get ignored
(с) Nonstandard by abusive monopolies - it's up to you to decide whether or not to do your bit in propping up the abusive monopoly

Remember that the standard specifies a way to specify non-standard mime type, via the x- prefix. There will always be new and experimental formats, so no exhaustive list will last for ever.

But with exif_imagetype() it seems you can check the image file directly, now I just need to find out how to enable it on my testing server. getimagesize() seems to work already.

There's some discussion about this under the php manual page for exif_imagetype:
http://jp2.php.net/manual/en/function.exif-imagetype.php

It would be a lot easier to make sensible comments if I could understand why you feel you need to know the type of the file being uploaded (for what purpose?) ...

[Edited to put the 'c' back in the list from (a), (b). This brain-dead "filtering" nonsense does not work. Can't we please get rid of it.]

This post has been edited by Brian Chandler: Jun 6 2009, 09:17 AM

[Christian J]

But with exif_imagetype() it seems you can check the image file directly, now I just need to find out how to enable it on my testing server. getimagesize() seems to work already.

There's some discussion about this under the php manual page for exif_imagetype:
http://jp2.php.net/manual/en/function.exif-imagetype.php

If you mean this user comment: http://jp2.php.net/manual/en/function.exif...etype.php#80383 , wouldn't it suffice with just

CODE

if(function_exists('exif_imagetype' ))
{
    $image_type=exif_imagetype($_FILES['file']['tmp_name']);
}
else
{
    $image_type=getimagesize($_FILES['file']['tmp_name']);
    $image_type=$image_type[2];
}

?

It would be a lot easier to make sensible comments if I could understand why you feel you need to know the type of the file being uploaded (for what purpose?) ...

The script might be used in a CMS, so I want to make sure only file types suitable for web page images are allowed.