Posted by John Dunlop on 08/23/05 22:57

Somebody wrote:

> $_FILES['userfile']['type'] - I heard this is not safe

At bottom, it's user-input. By HTML4.01 browsers SHOULD (that
word wearing its RFC2119 hat) supply 'the appropriate content
type'; in other words there's no formal requirement that a
Content-Type always accompany a file upload request. If set,
however, $_FILES['foo']['type'] is the value of the Content-
Type header the browser sent as part of its form submission,
modulo any interference along the wire. There is the risk as
well of the value being set but, maliciously or otherwise,
being inappropriate.

> $imginfo = getimagesize($filename); - I heard this is safer

$_FILES['foo']['type'] is a form (no pun intended!) of user-
input, so almost anything goes; getimagesize() ['mime'], on
the other hand, specifies only one of a limited set of values.
Neither are in themselves unsafe.

--
Jock

[Back to original message]