# Solved: Identify extension of uploaded file using PHP



## DrP (Jul 23, 2005)

Me again!
Judging by the poor results on google, this will not be as simple as I first thought...

I'm after someway of identifying the file extension of an uploaded file. At the moment I have this:

if (move_uploaded_file($_FILES['image_filename']['tmp_name'], $image_name)) {
list($width, $height, $type, $attr) = getimagesize($image_name);
if ($type > 3) { //if > 3 then not .jpg, .gif or .png
delete it again or something

Which works fine as long as the file is an image. However, if it isn't an image it slips through because it doesn't have a numerical value. I'd prefer to say something like if the file doesn't have the extension ".gif", ".jpg" or ".png" then delete it, rather than use the numerical identifiers.
I thought the filetype() function might be the answer but it looks like it doesn't give you the extension, according to http://www.w3schools.com/php/func_filesystem_filetype.asp
Please, anyone...


----------



## PJK (Jun 13, 2005)

Use an "else" statement.


----------



## DrP (Jul 23, 2005)

That's what I have at the moment. What I'm after is a function which allows me to identify the file extension. Is there one?


----------



## DrP (Jul 23, 2005)

Cracked it.
$extension = strchr($image_tempname, '.');
echo $extension;
But this will only work if there are no full stops in the filename I suppose, not that that will be a problem I hope.


----------



## brendandonhu (Jul 8, 2002)

getimagesize() is actually telling you whether the file is an image or not, regardless of the extension. Remember that someone could rename a .exe file to .jpg and upload it if you just use strchr().


----------



## DrP (Jul 23, 2005)

What if the file isn't an image? Won't I have to rely on strchr() then?


----------



## covert215 (Apr 22, 2006)

what type of uploads do you want?

if you want only images, do:

if(getimagesize($variable))

else


----------



## DrP (Jul 23, 2005)

DrP said:


> What if the file isn't an image?


Is there an alternative to using strchr()? For example, would there be a method of identifying a PDF without relying on the extension?


----------



## brendandonhu (Jul 8, 2002)

You could install a PDF library and use something like this to check the file: http://us3.php.net/manual/en/function.pdf-open-pdi.php


----------



## brendandonhu (Jul 8, 2002)

Ok I just wrote a function check whether a file is a PDF or not.

```
<?php
function is_pdf($filename) {
  define('PDF_MAGIC', "\x25\x50\x44\x46\x2D");
  return (file_get_contents($filename, false, null, 0, strlen(PDF_MAGIC)) === PDF_MAGIC) ? true : false;
}
?>
```


----------



## DrP (Jul 23, 2005)

To be honest, I don't understand half of that. I'm assuming the "null" and "0" on line 4 are "stringparam" and "intparam" (I got this from the link you provided), though I don't know what these are for. I can't find anything obvious on google to explain what parameters go inside the brackets after file_get_contents.
What does the first "false" mean and what does "? true : false" do?
Sorry, but I'm only a beginner! I take it the string put into PDF_MAGIC on line 3 is something which crops up at the beginning of PDF files and line 4 is looking for that. Is that so?


----------



## brendandonhu (Jul 8, 2002)

Right, you don't need to change the function parameters though. You can just stick it in your code then do something like this.
if(is_pdf('file.pdf'))
{
echo 'Its a PDF file';
}
else
{
echo 'Its not a PDF file';
}


----------



## DrP (Jul 23, 2005)

Sorry, that's not what I meant. I can use the code fine. I just wanted to know what all the bits did and understand why it works. I don't like using stuff I don't understand. Are you aware of any sites which are good for explaining the php functions? I've found php.net and PhpDig.net good so far but neither explains the parameters for file_get_contents.

I'm not actually sure whether I'll use the code because I'd also need something simiilar for about 15 different filetypes (eg .doc .xls .notebook .ppt). As I'll be the only user I won't have to worry about an exe being disguised as a jpg etc. However, I do intend to extend the system (I'm building a CMS) to other users in the future, so it will be useful to screen for a .exe hidden with a .xxx extension then - hence, my interest!


----------



## brendandonhu (Jul 8, 2002)

Ok, the PDF_MAGIC constant is a string that appears at the beginning of all PDF files.
In file_get_contents, the first parameter is the filename. The next parameter tells PHP what directory to look for that file in. The next parameter lets you set options for opening the file, which we don't need. The 0 says to start reading the file 0 bytes in (the beginning.) The last parameter tells file_get_contents that we don't need to read the whole PDF file, just read 4 bytes (the length of PDF_MAGIC). The ? : syntax is the ternary operator, basically a shorthand way of writing an if-then statement.


----------



## brendandonhu (Jul 8, 2002)

> I'm not actually sure whether I'll use the code because I'd also need something simiilar for about 15 different filetypes (eg .doc .xls .notebook .ppt). As I'll be the only user I won't have to worry about an exe being disguised as a jpg etc. However, I do intend to extend the system (I'm building a CMS) to other users in the future, so it will be useful to screen for a .exe hidden with a .xxx extension then - hence, my interest!


You can see how TSG handles this- users can rename a EXE file to .jpg and it will be uploaded. But it won't do anything to anyone's computer unless they were to download it, rename it from jpg back to .exe, and then run it.


----------



## DrP (Jul 23, 2005)

Excellent. Thanks for clarfying that. Much appreciated.


----------



## brendandonhu (Jul 8, 2002)

No problem


----------

