SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Member
    Join Date
    Dec 2012
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    The most secured method to validate an image before to upload it

    Hello all,

    I am quite new in PHP so I am looking for some advices from PHP experienced programers about how to secure the upload of images.

    Thank you

  2. #2
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    71 Post(s)
    Tagged
    0 Thread(s)
    Well, #1 you cant validate something reliably before you upload it. It has to reach your server first (you can use javascript to try and validate, but what if the person has disabled javascript?)
    #2 what security are you referring to here?
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  3. #3
    SitePoint Member
    Join Date
    Dec 2012
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you StarLion for your answer.
    Maybe my statement was not so clear, sorry for this.

    Manly, what i want to do is to implement a mechanism in PHP to upload some images.
    The idea is that i don't want somebody to upload, for example, PHP scripts which can be executed after and hack my website. This is the security i am talking about.

    Hope i was more clear this time.

    Thank you

  4. #4
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,182
    Mentioned
    65 Post(s)
    Tagged
    2 Thread(s)
    You'll have to upload the file first. When the file reaches $_SERVER['FILES'], then you can run a check against it, and delete it if you deem it unfit.

    Code:
    if ($_FILES["file"]["type"] != "image/jpeg") {
    header(); //anywhere but here, file will be deleted
    } else {
    
    move_uploaded_file(); //where you want
    }

  5. #5
    SitePoint Zealot 2ndmouse's Avatar
    Join Date
    Jan 2007
    Location
    West London
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think you'll find this question is already covered here
    Detect file changes remotely. SimpleSiteAudit is an early
    warning anti-hacker system which sends an alert on detection.

    PHP Find Orphan Files - Finds all the unreferenced files on your site.

  6. #6
    SitePoint Member
    Join Date
    Dec 2012
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you all for you answers, really helped me to understand the mechanism. Now, i will try to implement something and i will come back with a sample.

  7. #7
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    K. Wolfe's code does only partial check and it still leaves your site vulnerable because $_FILES["file"]["type"] is set by browsers and can be spoofed. This is good as the first check but then you should do at least two more checks:

    2. Use getimagesize() on the file, check if it was successful and also check the file type returned by index 2 - for jpeg's it should be equal to constant IMAGETYPE_JPEG - then you can be sure the file is really a jpeg image.

    3. Check the file extension and allow only jpg/jpeg - someone could send you a .php file which is a php script embedded in a jpeg file container and who knows if he can find a vulnerability in the php interpreter to actually run the code if it ends with .php. Make sure that no undesirable file extensions land on your server.

    4. Lastly, you may run some final validations to check whether the image has proper dimensions, doesn't exceed filesize limit, etc.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •