How do you validate the data on the server side?

[douglas-legulas]

For example, I'm sending the output of signaturePad.toDataURL() to the server via POST, which decodes to a PNG image that is stored on the filesystem. How do we make sure no one can submit a different type of file?

# Example from signature_pad README:
$data_uri = "data:image/png;base64,iVBORw0K...";
$encoded_image = explode(",", $data_uri)[1];
$decoded_image = base64_decode($encoded_image);
file_put_contents("signature.png", $decoded_image);

Right now my idea is to test if the decoded string is really a valid PNG image. PHP has the gd module for that. imagecreatefrompng is what I would try. There is also Fileinfo and the function finfo_buffer. Any thoughts on this?

[UziTech]

This is a question you should ask on stackoverflow.com