To be able to validate permitted mime types in file uploads It's my job to depend around the fileinfo extension consider that extension or even the miracle database is not always available I regarded while using type index connected with every file around the $_FILES superglobal.

So my real question is, where performs this index originate from? I suspect it either originates from the browser (and when this is the situation it may be forged) or, probably, on the internet server (or PHP) - and when this is actually the situation: could it be just extra time to mime type mapping or perhaps is it the actual factor?

It is the MIME kind of the file provided through the browser through interpretation the extension from the file. So you are right, this is often forged through the client.

This isn't the response to your question but @BoldClock has provided that.

First of all i'd not make use of this to validate your files, it is not 100% reliable, rather I'd scan the apply for its Miracle Number using file functions plus some binary conversions functions.

It might seem complex nevertheless its not necessarily very difficult.

Every file must have some miracle amounts where you can deter the file type by reading through the very first 4 / 8 / 16 bytes of information.

PDF files begin with "%PDF" (hex 25 50 44 46).

You would need to implement other inspections too, for instance: Microsoft 'office' PPT / DOC / XLS all have a similar bytecode which means you would also validate the extension aswell.

Remember safety first.

It's based on the customer if this constructs the Publish request. Files are only able to show up having a multipart/form-data body, which appears like that:

--BoUnDaRy02984
Content-Disposition: form-data; name="textfield1"
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Joe owes =80100.
 --BoUnDaRy02984
Content-Disposition: form-data; name="file2"; filename="C:\tmp\file.doc"
Content-Type: application/ms-word
Content-Transfer-Encoding: base64
Content-Length: 32

VGhpcyB3b3VsZCBiZSB0aGUgdGV4dAo=
 --BoUnDaRy02984

PHP doesn't interpret all possible versions of multipart/, however it picks up file uploads by the existence of a filename= attribute and uses the Content-Type: area verbatim for $_FILES[*][type].