Why does the TinyMCE server-side handler example in PHP include a file extension check if you can't select a non-image anyway?

Question

Interesting.

I wanted to add logic to catch the upload of non-images. In the PHP example in the docs, they had this:

// Verify extension    
if (!in_array(strtolower(pathinfo($temp['name'], PATHINFO_EXTENSION)), array("gif", "jpg", "png"))) {
  header("HTTP/1.1 400 Invalid extension.");
  return;
}

So I added something like that to my server's backside server-side JavaScript.

But it turned out not to be necessary. The image upload dialogs (either browse or drag-and-drop) somehow don't let you select anything but images.

If that's so, why does the example add that to the handler?

Answer 1

There are a couple of reasons but I'll stick to the main 2:

1. You may not want to accept all image types, perhaps you don't want users to upload .gif files because it will be ugly to see gif images in content, or perhaps your server doesn't support this type of image.
2. Using terminal commands like curl or GUI applications like Postman, you can skip the normal browser upload workflow and upload whatever you like to the server. Highly dangerous as users could upload anything if you don't perform some sort of validation, they could upload a .php file for example and cause all sorts of havoc.