SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Guru
    Join Date
    Feb 2004
    Location
    Oregon
    Posts
    686
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    image upload security

    I was curious about some things. now is it more secure to upload a image to the db or let it go to the directory and keep the file name in the db? now I am not going to upload private photos that nobody can see, I am more curious as to peopel uploading fake images and such. instead of uplaoding a image they uplaod a php script that when ran will get variables and such.

    now I know you can check for mime type and the extension. but what if a user uploades a php file but with a jpg extension? now without checking for a mime type is it safer to upload them to the db instead? or does it even matter?

    also, is it possible fake a mime type in anyway? I know you can make a image run as a php file as long as the server is setup to do this, but what about a normal image? or what about a normal php file uploaded as a image?
    success is not by chance, it is by choice.

  2. #2
    reads the ********* Crier silver trophybronze trophy longneck's Avatar
    Join Date
    Feb 2004
    Location
    Tampa, FL (US)
    Posts
    9,854
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    unless you have some strange configuration on your web server, the PHP processor only gets to process a file when it has a PHP extension. a JPG file will never go though the PHP processor. the only problem you might run in to is a user uplaoding a file with a .php extension instead of a .jpg extension.

    the way around this exploit is rename EVERY file that uploaded to some arbitrary name based on the EXPECTED file type (not the mime or reported type). when a client requests the file, use a PHP script to passthru() the file with the correct name, which you have stored in a DB table, and the correct mime type.

    FYI, read http://www.sitepoint.com/forums/showthread.php?t=278613

  3. #3
    SitePoint Guru
    Join Date
    Feb 2004
    Location
    Oregon
    Posts
    686
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks longneck, I already read that thread. that is what I am trying to avoid is storing the image in the db. and that is what I was talking about. a jpg file with a php extension. how do you get the 'expected' file type if you don't use the mime type? I allow all iamges.

    and you can setup an image to run like a php file with NO php extension. very easy with .htaccess.
    success is not by chance, it is by choice.

  4. #4
    reads the ********* Crier silver trophybronze trophy longneck's Avatar
    Join Date
    Feb 2004
    Location
    Tampa, FL (US)
    Posts
    9,854
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Sahajin
    how do you get the 'expected' file type if you don't use the mime type? I allow all iamges.
    what i meant by expected file type is if you ask someone to upload a picture, you treat it as such. how many times ahve you intentionally passed a picture to the PHP processor?

    but still, there are two immediately obvious ways, both still using my suggestion about renaming the files:
    1) enforce only .jpg, .gif, .png extensions and reject any other type of file uploaded, i.e. use the extension to determine the file type.
    2) use an extension like GD to peek in to the file to determine the type, or look in the internet for file specs and write your own detector.
    and you can setup an image to run like a php file with NO php extension. very easy with .htaccess.
    yes, but why would you do that? and still, if you store the files outside of the web servers filesystem and use only passthru() to actually send the picture, even if someone uploads a bad .htaccess file, they won't be able to pass the actualy file to the PHP processor.

    forgive me if i sound rude, but i think you're being a bit paranoid here. what kind of situation, exactly, are you trying to guard against? it's not clear to me based on your posts.

  5. #5
    SitePoint Guru
    Join Date
    Feb 2004
    Location
    Oregon
    Posts
    686
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hackers do many different things to get info to your site. I help run one of the most popular templates sites on the net and you won't believe how and what hackers have done. there is even a virus named after us as a DDoS trojan. I have to take as many precautions as I can.

    I am going to enforce the image type. this is already taken care of. I just want to make sure there isn't any way to fake a mime-type to any extent of hacking the site.

    it isn't so much as keeping the images private, I am just avoiding any possible way to upload a bad image. the images will be on the site and users will have free rein to view them.

    it probably is more paranoia than anything but I was told to be very secure in this part of the script. its also my way to avoid the images being written to the db in a blob field

    thanks longneck, I will look into passthru.
    success is not by chance, it is by choice.

  6. #6
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The following will check conclusively that an uploaded file is an image.
    PHP Code:
    if(getimagesize($_FILES['id']['tmpname'])){ // change ['id'] to suit
         // Save file to MySQL
    }else{
         
    // File dodgy! Don't save



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •