English
English
In PHP, finfo is a very practical extension to obtain meta information such as MIME type, encoding, etc. of a file. Compared with the traditional mime_content_type() function, finfo provides more accurate and flexible functions. Correct use of finfo can effectively prevent file type disguises and improve file processing security. This article will introduce in detail several correct ways to use finfo and common precautions.
The most common use is to obtain the MIME type of a file, such as determining whether an uploaded file is an image or a PDF.
<?php
$finfo = new finfo(FILEINFO_MIME_TYPE);
$mimeType = $finfo->file('/path/to/file.pdf');
echo $mimeType;
In the above code, FILEINFO_MIME_TYPE tells finfo that it returns a MIME type, such as application/pdf or image/jpeg . This is the standard way to judge file types.
Sometimes the content of the file is not necessarily saved on disk, but is passed in through variables, such as uploading by API. You can use the finfo_buffer method:
<?php
$finfo = new finfo(FILEINFO_MIME_TYPE);
$data = file_get_contents('https://gitbox.net/sample.png');
$mimeType = $finfo->buffer($data);
echo $mimeType;
This method is suitable for processing streaming data or remote crawling content.
The typical application of finfo in file upload is to verify whether the file content matches the extension, thereby preventing users from uploading malicious script files as pictures.
<?php
if ($_FILES['upload']['error'] === UPLOAD_ERR_OK) {
$finfo = new finfo(FILEINFO_MIME_TYPE);
$mimeType = $finfo->file($_FILES['upload']['tmp_name']);
$allowedTypes = [
'image/jpeg' => 'jpg',
'image/png' => 'png',
'application/pdf' => 'pdf',
];
if (!array_key_exists($mimeType, $allowedTypes)) {
die('Unsupported file types。');
}
$ext = $allowedTypes[$mimeType];
move_uploaded_file($_FILES['upload']['tmp_name'], "/uploads/file.$ext");
}
By comparing the MIME type detected by finfo and the preset whitelist, illegal file upload can be effectively prevented.
File extensions are easily tampered with, and it is not safe to judge file types only by relying on the extension. The actual content should always be checked using finfo .
Some older versions of PHP environments may not have fileinfo extension enabled. Can be checked by phpinfo() or extension_loaded('fileinfo') .
<?php
if (!extension_loaded('fileinfo')) {
die('fileinfo Extension not enabled');
}
finfo->file() requires that the file exists and has read permissions, otherwise it may return application/octet-stream or false .
In addition to FILEINFO_MIME_TYPE , you can also use FILEINFO_MIME to obtain more detailed information, such as encoding format:
<?php
$finfo = new finfo(FILEINFO_MIME);
$info = $finfo->file('/path/to/file.txt');
echo $info; // For example text/plain; charset=us-ascii
This approach is especially useful when dealing with multilingual documents or encoding conversions.
Using finfo is one of the safest and most reliable ways to identify file types in PHP. Whether it is uploading file verification, remote data analysis, or system automation tasks, mastering and correctly using finfo can bring higher stability and security to the application. Just make sure to enable fileinfo extension and combine it with MIME whitelist judgment to build a more robust file processing process.
