Post’s metadata can not and should not be used for validation. They can be easily manipulated. Post metadata simply stores “editable” strings or arrays, nothing more than that.
The code you have copied is trying to fetch a metadata and check if its value is mp3
. You can change a value of exe
to mp3
, and it will assume that the file is mp3. So, security issue here.
To validate a file truly, you have to pass the files path or URL to a real validator.
For example, WordPress offers this function to validate an image:
file_is_valid_image( $path );
Which returns true is the file in the pass is a real image. There are function to retrieve the file’s real extension (since it can easily be manipulated, change .exe to .jpg), which you can find them by a simple search.