Can You Validate Content Type Being Sent To PHP Script?

phpQuestioner · August 24, 2007

Is there a way to validate the content-type that is being sent to a PHP script? I have an example of what I am wanting to do; even though, I know it is not right - maybe you can see what I am trying to do.

<?php

$normal = header("Content-Type");

$acceptableheader="image/jpeg";

if ($normal != $acceptableheader) {
// create alternate image
exit;
}

?>

dbo · August 24, 2007

The problem is that mime/types can be spoofed. According to the manual the input from the $FILES array should not be trusted. You can validate that an extension matches a list of allowable extensions but I'm not sure what the best practice is when trying to display it back to the screen via a browser.

Azu · August 24, 2007

Is there a way to validate the content-type that is being sent to a PHP script? I have an example of what I am wanting to do; even though, I know it is not right - maybe you can see what I am trying to do.
<?php

$normal = header("Content-Type");

$acceptableheader="image/jpeg";

if ($normal != $acceptableheader) {
// create alternate image
exit;
}

?>

Checking the headers the client sends and the extension the client sends is useless; anyone can send false ones, unless they are complete retarded and can't even type a question into Google.

You need you find a way to actually validate the data itself and make sure it's what you are looking for.

For example usually a PNG file will begin with "‰PNG" at the start. Just open stuff up in a text editor and find things that are always the same for that type of file, E.G. signatures. Then just have PHP check for these signatures and make sure they are in the right places. Be careful though, and make sure that they can never overlap another file type.

phpQuestioner · August 24, 2007

The thing is, this is not for security reasons; this is to display a alt thumbnail when I do not have a image present. I have a "image does not exist" thumbnail, but it is a GIF and I know I could easily convert the GIF to JPEG; but the GIF just looks better. I tried this script that I just made; but it did not validate it right. It did not display the alternate PNG thumbnail . So I am trying to create an alternate PNG file for thumbnails that do not display. The thumbnails have been created by querying my GD Library Script, so that the script will resize the original JPEG size of 640X480.

<?php

$aict = header("Content-type: image/jpeg");

if ($aict != image/jpeg) {
        $img_handle = ImageCreate (75, 75) or die ("Cannot Create image");
        $back_color = ImageColorAllocate ($img_handle, 0, 0, 0);
        $txt_color = ImageColorAllocate ($img_handle, 255, 255, 0);
        ImageString ($img_handle, 31, 14, 20,  "No", $txt_color);
        ImageString ($img_handle, 31, 10, 40,  "Image", $txt_color);
        header("Content-type: image/png");
        imagepng($img_handle);
// do not allow GD Library Script To Be Queried In Order To Display Thumbnail Image, Because This Is Not A JPEG Image
exit;
}

?>

dbo · August 24, 2007

I found this (untested), but it looks fairly promising. http://lists.evolt.org/archive/Week-of-Mon-20070326/189060.html

dbo · August 24, 2007

A littler further investigation reveals that http://www.php.net/mime_content_type might be a better solution.

phpQuestioner · August 24, 2007

ok - tried this:

<?php

$acceptable = mime_content_type('php.jpeg');

if (($acceptable != image/jpeg) {
        $img_handle = ImageCreate (75, 75) or die ("Cannot Create image");
        $back_color = ImageColorAllocate ($img_handle, 0, 0, 0);
        $txt_color = ImageColorAllocate ($img_handle, 255, 255, 0);
        ImageString ($img_handle, 31, 14, 20,  "No", $txt_color);
        ImageString ($img_handle, 31, 10, 40,  "Image", $txt_color);
        header("Content-type: image/png");
        imagepng($img_handle);
exit;
}

?>

but no image to display at all, not even ones that are really there

Before the code above I tried this code, because thumbnail images are being made with query string variable "$filename".

<?php

$acceptable = $filename['extension'];

if (($acceptable != JPG) || ($acceptable != jpg)) {
        $img_handle = ImageCreate (75, 75) or die ("Cannot Create image");
        $back_color = ImageColorAllocate ($img_handle, 0, 0, 0);
        $txt_color = ImageColorAllocate ($img_handle, 255, 255, 0);
        ImageString ($img_handle, 31, 14, 20,  "No", $txt_color);
        ImageString ($img_handle, 31, 10, 40,  "Image", $txt_color);
        header("Content-type: image/png");
        imagepng($img_handle);
exit;

?>
}

but still no images at all........

trq · August 24, 2007

If your looking to test for a valid image, use getimagesize(). it will return false if the file is not a valid image.

phpQuestioner · August 24, 2007

I probably just am not getting getimagesize() function, but I tried to write this script anyways - but it did not work either.

<?php

$source = imagecreatefromjpeg($filename);

$acceptable = getimagesize("img/jpeg");

if (($source != $acceptable) {
        $img_handle = ImageCreate (75, 75) or die ("Cannot Create image");
        $back_color = ImageColorAllocate ($img_handle, 0, 0, 0);
        $txt_color = ImageColorAllocate ($img_handle, 255, 255, 0);
        ImageString ($img_handle, 31, 14, 20,  "No", $txt_color);
        ImageString ($img_handle, 31, 10, 40,  "Image", $txt_color);
        header("Content-type: image/png");
        imagepng($img_handle);
exit;
}

?>

I also tried this with mime_content_type

<?php

$source = imagecreatefromjpeg($filename);

$acceptable = mime_content_type('php.jpeg');

if (($source != $acceptable) {
        $img_handle = ImageCreate (75, 75) or die ("Cannot Create image");
        $back_color = ImageColorAllocate ($img_handle, 0, 0, 0);
        $txt_color = ImageColorAllocate ($img_handle, 255, 255, 0);
        ImageString ($img_handle, 31, 14, 20,  "No", $txt_color);
        ImageString ($img_handle, 31, 10, 40,  "Image", $txt_color);
        header("Content-type: image/png");
        imagepng($img_handle);
exit;
}

?>

Neither of the two of these worked.

phpQuestioner · August 24, 2007

maybe I should just go about doing this with JavaScript, instead of PHP. That might be the easiest work around for this.

dbo · August 24, 2007

Doing it in javascript is more useless than validating a raw mime type. All a user has to do is disable javascript and they've bypassed any validation you've done.

phpQuestioner · August 24, 2007

I found this on O'Reilly Newtork:

http://www.oreillynet.com/pub/a/javascript/2003/10/21/amazonhacks.html

It might work; but not 100% sure how to incorporate the way I need to.

Check Out The "In PHP" section

Azu · August 25, 2007

maybe I should just go about doing this with JavaScript, instead of PHP. That might be the easiest work around for this.

Please excuse me while I scream into my pillow -.-

Sign In

Can You Validate Content Type Being Sent To PHP Script?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information