Currently I check all elements of an image in PHP before I allow it to be uploaded. But when it comes to things like file extensions I'm a bit concerned.
I use the following to only allow files of a certain type to be uploaded:
$allowed_ext = array("jpeg", "jpg", "gif", "png");
$tmp_ext = explode(".", $_FILES["file"]["name"]);
$ext = strtolower(end($tmp_ext));
if ((($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/png"))
&& in_array($ext, $allowed_ext)) {
//Continue
} else {
//Don't allow
}
But does this prevent all forms of users changing file extensions themselves? e.g. If a user changed the file extension of something malicious to .jpeg or .png - would this prevent it?
I can't find any posts clarifying this, so any help is appreciated!
