How to Validate Post Meta type/extension (Video File Image File etc)

I am trying to learn meta’s in WordPress by taking an example of the already existing meta →

function cpmb_display_meta_box( $post ) {

// Define the nonce for security purposes
wp_nonce_field( plugin_basename( __FILE__ ), 'cpmb-nonce-field' );

// Start the HTML string so that all other strings can be concatenated
$html = '';

// If the current post has an invalid file type associated with it,
// then display an error message.
if ( 'invalid-file-type' == get_post_meta( $post->ID, 'mp3', true ) ) {

    $html .= '<div id="invalid-file-type" class="error">';
        $html .= '<p>You are trying to upload a file other than an MP3.</p>';
    $html .= '</div>';

}

// Display the 'Title of MP3' label and its text input element
$html .= '<label id="mp3-title" for="mp3-title">';
    $html .= 'Title Of MP3';
$html .= '</label>';
$html .= '<input type="text" id="mp3-title" name="mp3-title" value="' . get_post_meta( $post->ID, 'mp3-title', true ) . '" placeholder="Your Song By Elton John" />';

// Display the 'MP3 File' label and its file input element
$html .= '<label id="mp3-file" for="mp3-file">';
    $html .= 'MP3 File';
$html .= '</label>';
$html .= '<input type="file" id="mp3-file" name="mp3-file" value="" />';

    echo $html;

}

The above function is the function to render the markup in the backend?

My question is related to this line →

if ( 'invalid-file-type' == get_post_meta( $post->ID, 'mp3', true ) ) {

It looks like to be validating whether the file is mp3 or not?

The Main Question → what if we want to validate whether this is Video file? Video files can be of multiple types and can come from many sources such Vimeo, Youtube, facebook etc.

Additionally,

I request the reader of this post to guide me to some specific meta where oembed has been used successfully.

Solutions Collecting From Web of "How to Validate Post Meta type/extension (Video File Image File etc)"

Post’s metadata can not and should not be used for validation. They can be easily manipulated. Post metadata simply stores “editable” strings or arrays, nothing more than that.

The code you have copied is trying to fetch a metadata and check if its value is mp3. You can change a value of exe to mp3, and it will assume that the file is mp3. So, security issue here.

To validate a file truly, you have to pass the files path or URL to a real validator.

For example, WordPress offers this function to validate an image:

file_is_valid_image( $path );

Which returns true is the file in the pass is a real image. There are function to retrieve the file’s real extension (since it can easily be manipulated, change .exe to .jpg), which you can find them by a simple search.

The above function is the function to render the markup in the backend?

Correct.

It looks like to be validating whether the file is mp3 or not?

No. It’s just checking if the value of the meta has been set to literally the text ‘invalid-file-type’. Whatever you got this from would be doing the validation in the save action, and if the filetype is invalid it sets the value of the meta to 'invalid-file-type'.