PHP: What is the origin of the 'type' index in $_FILES?

In order to validate allowed mime types in file uploads I usually rely on the fileinfo extension but since that extension or the magic dat开发者_运维百科abase isn't always available I though of using the type index associated with each file on the $_FILES superglobal.

So my question is, where does this index come from? I suspect it either comes from the browser (and if that's the case it can be forged) or, most likely, from the web server (or PHP) - and if this is the case: is it just an extension to mime type mapping or is it the real thing?

It's the MIME type of the file supplied by the browser through interpreting the extension of the file. So you're right, this can be forged by the client.

This is not the answer to your question but @BoldClock has already supplied that.

Firstly i would not use this to validate your files, its not 100% reliable, instead I would scan the file for its Magic Number using file functions and some binary conversions functions.

It may sound complex but its not really that hard.

Every file should have a set of magic numbers that allow you to deter the file type by reading the first 4 / 8 / 16 bytes of data.

PDF files start with "%PDF" (hex 25 50 44 46).

You would have to implement other checks as well, for example: Microsoft Office PPT / DOC / XLS all have the same bytecode so you would also validate the extension aswell.

Remember safety first.

It's defined by the client when it constructs the POST request. Files can only be present with a multipart/form-data body, which looks like that:

--BoUnDaRy02984
Content-Disposition: form-data; name="textfield1"
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Joe owes =80100.
 --BoUnDaRy02984
Content-Disposition: form-data; name="file2"; filename="C:\tmp\file.doc"
Content-Type: application/ms-word
Content-Transfer-Encoding: base64
Content-Length: 32

VGhpcyB3b3VsZCBiZSB0aGUgdGV4dAo=
 --BoUnDaRy02984

PHP does not interpret all possible variations of multipart/, but it detects file uploads by the presence of a filename= attribute and uses the Content-Type: field verbatim for $_FILES[*][type].