On Thu, Dec 08, 2005 at 02:41:43PM -0500, Zack Bloom wrote: > mime types are very unreliable and should never be used for file type > authentication (they can also be faked by users). Instead you could try > using the extension of the file or an identifying statement in the file. He isn't using the mime-type, the fileinfo module detects the content type based on a magic file that defines, as you said, a paticular statment in the file and returns the mime-type associated with the magic. Assuming you ment the mime/type sent via a file upload, trying to detect the file type by the extension is just as unreliable. Even identifying contents of the file is not as reliable as one would think; it can also be spoofed. For example with jpeg, there are several tools out there that will take a file, wrap a jpeg image around the file and embed the real contents inside of the file, and if your app just detects the magic contents, it will pass the test. The only way to ensure a file is what it really is to open and resave it with a trusted application. Using the jpeg example you would need to do something like: djpeg $file | cjpeg > testfile.jpg Well, with jpeg, the files will always be differnt but a fuzzy match based on filesize closeness and/or similar bit distribution. > On 12/8/05, Manuel Vacelet <manuel.vacelet@xxxxxxxxx> wrote: > > > > Hi all, > > > > I'm facing a bad behaviour of 'file' command used by fileinfo PECL module > > (recommanded for mime-type checking): > > * Some Microsoft Excel documents are detected as Microsoft Word documents > > * Some HTML files are just text/plain > > * ... > > Curt. -- cat .signature: No such file or directory -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
