I'm building a php file uploader and I've some issues with security. For example I don't want to allow ".php" file uploads. As I know the only way to check the file type is with $_FILES['file']['type']
and the value of it is browser dependent.
I check with multiple browsers and found that when selecting a regular .php file different browsers return these values:
firefox: application/x-download
chrome: text/plain
safari: text/plain
IE: text/plain
opera: application/octet-stream
I've also tried the same experiment with the regular .txt files and all browses return text/plain
as the mime type.
So here's the problem, If I want to allow the .txt file upload what should I do to prevent .php file uploads?