I am creating file upload script and I’m looking for the best techniques and practices to validate uploaded files.

Allowed extensions are:

$allowed_extensions = array('gif','jpg','png','swf','doc','docx','pdf','zip','rar','rtf','psd');

Here’s the list of what I’m doing.

1. Checking file extension

   $path_info = pathinfo($filename);
   if( !in_array($path_info['extension'], $allowed_extensions) ) {
       die('File #'.$i.': Incorrent file extension.');
   }
   

2. Checking file mime type

   $allowed_mimes = array('image/jpeg','image/png','image/gif','text/richtext','multipart/x-zip','application/x-shockwave-flash','application/msword','application/pdf','application/x-rar-compressed','image/vnd.adobe.photoshop');
   if( !in_array(finfo_file($finfo, $file), $allowed_mimes) ) {
       die('File #'.$i.': Incorrent mime type.');
   } 
   

3. Checking file size.

What should I do to make sure uploaded files are valid files? I noticed strange thing. I changed .jpg file extension to .zip and… it was uploaded. I thought it will have incorrect MIME type but after that I noticed I’m not checking for a specific type but if a specific MIME type exist in array. I’ll fix it later, that presents no problems for me (of course if you got any good solution/idea, do not hesitate to share it, please).

I know what to do with images (try to resize, rotate, crop, etc.), but have no idea how to validate other extensions.

Now’s time for my questions.

1. Do you know good techniques to validate such files? Maybe I should unpack archives for .zip/.rar files, but what about documents (doc, pdf)?
2. Will rotating, resizing work for .psd files?
3. Basically I thought that .psd file has following mime: application/octet-stream but when

I tried to upload .psd file it showed me (image/vnd.adobe.photoshop). I’m a bit confused about this. Do files always have the same MIME type?

Also, I cannot force code block to work. Does anyone have a guess as to why?