SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Wizard
    Join Date
    Feb 2007
    Location
    Southern California
    Posts
    1,340
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Error handling/security concerns for image file uploads

    I saw this code for a server to receive an image file upload from a user's smartphone:

    Code:
    <?php
    print_r($_FILES);
    $new_image_name = "namethisimage.jpg";
    move_uploaded_file($_FILES["file"]["tmp_name"], "/srv/www/upload/".$new_image_name);
    ?>
    It was taken from this page: http://zacvineyard.com/blog/2011/03/...-with-phonegap

    Shouldn't it have some code to check that the server isn't receiving a malicious file? Or is that a concern regarding uploading photos from smartphones?

    I found this code to validate the file:

    Code:
    <?php
    if (preg_match('/^image\/p?jpeg$/i', $_FILES['upload']['type']) 
    or preg_match('/^image\/gif$/i', $_FILES['upload']['type']) 
    or preg_match('/^image\/(x-)?png$/i', $_FILES['upload']['type']) 
    {
    ...
    } else {
    $error = 'Please submit a JPEG, GIF, or PNG image file.';
    include $_SERVER['DOCUMENT_ROOT'] ;
    exit();
    }
    ?>
    ... but I don't know how to integrate the two codes.

    Can you help? Thanks!
    Steve Husting

  2. #2
    SitePoint Zealot bronze trophy xMog's Avatar
    Join Date
    Mar 2011
    Posts
    147
    Mentioned
    3 Post(s)
    Tagged
    1 Thread(s)
    Hi Steve!

    It doesn't matter if somebody is using a smartphone, a desktop or a watch to call something (could be a web service, a web page, whatever) through HTTP (and even HTTPS). It's not difficult to sniff HTTP traffic coming from something you own. So, you're uploading a picture from a smartphone to a web service? It's easy to find the "URL" of the Web service and write a small app on a desktop that uploads anything to that web service.

    So yes, you should validate that it's really an image. But the code you pasted seems a little simple compared to the example I found. Here's what I looked for in Google: "secure image upload php"

    Here's what came up:
    http://stackoverflow.com/questions/1...-upload-in-php
    http://stackoverflow.com/questions/4...ity-check-list
    http://indrek.it/bulletproof-image-u...or-developers/
    http://security.stackexchange.com/qu...ge-upload-form
    http://nullcandy.com/php-image-uploa...-not-to-do-it/

    Personally, I never had to validate images uploaded on the Internet (only "closed" applications, so the security was less of an issue)
    So, I think you have a little bit of reading to do
    (Or if you're lucky, somebody else in the forum already did that and he will give you his advice)

    Good luck! Tell me what you came up with!

  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,825
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    http://www.sitepoint.com/file-uploads-with-php/

    which includes the following to validate that the file contains an image

    PHP Code:
    // verify the file is a GIF, JPEG, or PNG
    $fileType exif_imagetype($_FILES["myFile"]["tmp_name"]);
    $allowed = array(IMAGETYPE_GIFIMAGETYPE_JPEGIMAGETYPE_PNG);
    if (!
    in_array($fileType$allowed)) {
        
    // file type is not permitted
        
    ... 
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #4
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    5,032
    Mentioned
    103 Post(s)
    Tagged
    0 Thread(s)
    One possible way (though I've never tested it) would be to use the GD library to create an image from either a gif, jpeg or png file, using the appropriate function, if the function reports a failure, assume the file to be dodgy and delete it
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  5. #5
    SitePoint Wizard
    Join Date
    Feb 2007
    Location
    Southern California
    Posts
    1,340
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thank you for all the help. I'll cobble together the code and test!
    Steve Husting


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •