yii CMultiFileUpload security detect image type , by use other than ‘accept’=>‘jpg|png|gif’, I mean if create script file and named script.jpg and upload it’s will upload what the solution from security perspective .

in the server side still you needs

to check if the uploaded files have

allowed types.

Also, not just the file extensions should be checked but the MIME type extracted by analyzing the part of the file (header aka magic bytes).

I also make sure the uploaded files are not accessible via webserver so they cannot be executed if a user finds a way to upload scripts or other malicious content.

Thank you for your help

I will add my sample code to check if it the correct way .

  • In form

<?php echo $form->errorSummary(array($model,$post_pic)); ?>







                    //'denied'=&gt;'', message that is displayed when a file type is not allowed

                    //'duplicate'=&gt;'', message that is displayed when a file appears twice



I comment the //‘accept’=>‘jpg|png|gif’, to validate from post_picture model

I have two model the post model and pos_picture

  • In post_picture model to validate

array(‘name’, ‘file’, ‘types’=>‘jpg, gif, png’),

that not work I can upload any file with any extension and validate from post_picture model not catch that file not image

And for mime type do yii check or I need to add that action to my code

And thank you for your help again

yii just allow the files with accepted extensions only but you have to check its mime type…