2
Is there any way through the Curl request to know if it’s an image or not?
$ch = curl_init($image_url);
$name = generateRandomString();
$fp = fopen($caminho.'/'.$name.'.png', 'wb');
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
fclose($fp);
4
You can use the function curl_getinfo that will return the contentType, from there you can use a validation for the image types you need:
$contentType = curl_getinfo($ch, CURLINFO_CONTENT_TYPE);
if($contentType == 'image/png') {
echo 'Formato válido';
}
Remembering that this can be faked by "client" (by Curl target), it is possible to have a body with any content, which is not image, and with the header of Content-Type: image/png.
Yes, there is still that possibility. But if it is not a reliable source, it will need to perform other treatments.
I needed to detect the type of a MIME-type on Android (solution to this issue on Android here). There he has such a ContentResolver.getType, that you might discover the MIME-type by reading the magic numbers, which would make it safe against counterfeiting. There is nothing that does this in PHP?
There is, @Jeffersonquesado. Possibly this method works similar to the exif_imagetype. I even mentioned that function in the answer to the question What is the safest way to identify that the upload file is an image?
curl_getinfo($ch, CURLINFO_CONTENT_TYPE); does not check the content, only checks the header content-type.
@Guillhermenascimento, the Content-type is made just for this: describe the type of content. Is it possible to tamper with it? Yes. But if the source from which he is making the request is unreliable, then he will need a number of safety treatments for his application.
Content-Type can be easily manipulated, not by evil, but by some mistake, for example the image is generated dynamically, but the script failed and still the image mime-type was sent.
4
One way is by using the finfo_buffer, for example:
if(finfo_buffer(finfo_open(FILEINFO_MIME_TYPE), $conteudo) === 'image/jpeg'){
// O $conteudo é um 'image/jpeg'
}
I don’t know how secure this is. However, the use of this library is recommended in the PHP documentation itself, here:
Do not use
getimagesize()to check that a Given file is a Valid image. Use a purpose-built Solution such as the Fileinfo Extension Instead.
In tests, this works as follows:
$ch = curl_init($image_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
$conteudo = curl_exec($ch);
curl_close($ch);
if(finfo_buffer(finfo_open(FILEINFO_MIME_TYPE), $conteudo) === 'image/jpeg'){
file_put_contents(
unpack('H*', random_bytes(32))[1].'.jpg',
$conteudo
);
}
Browser other questions tagged php curl
You are not signed in. Login or sign up in order to post.
I know what the url is but my problem are the ones that don’t end in png,jpg...
– MANIAMAX
For example this is an image and the url has nothing indicating this http://lh3.googleusercontent.com/pMWnZMwH1c6exwP71cqLZ0BYtMSUwIaS-7wwEg9SYLvtRj5PFUlYhXtUvT7goUqeo2UBI29XeU-fFddJmcB1DNe1=s240
– MANIAMAX
It’s true, you’re right
– Miguel