Error handling/security concerns for image file uploads

I saw this code for a server to receive an image file upload from a user’s smartphone:

$new_image_name = "namethisimage.jpg";
move_uploaded_file($_FILES["file"]["tmp_name"], "/srv/www/upload/".$new_image_name);

It was taken from this page:

Shouldn’t it have some code to check that the server isn’t receiving a malicious file? Or is that a concern regarding uploading photos from smartphones?

I found this code to validate the file:

if (preg_match('/^image\\/p?jpeg$/i', $_FILES['upload']['type'])
or preg_match('/^image\\/gif$/i', $_FILES['upload']['type'])
or preg_match('/^image\\/(x-)?png$/i', $_FILES['upload']['type'])
} else {
$error = 'Please submit a JPEG, GIF, or PNG image file.';

… but I don’t know how to integrate the two codes.

Can you help? Thanks!

Hi Steve!

It doesn’t matter if somebody is using a smartphone, a desktop or a watch to call something (could be a web service, a web page, whatever) through HTTP (and even HTTPS). It’s not difficult to sniff HTTP traffic coming from something you own. So, you’re uploading a picture from a smartphone to a web service? It’s easy to find the “URL” of the Web service and write a small app on a desktop that uploads anything to that web service.

So yes, you should validate that it’s really an image. But the code you pasted seems a little simple compared to the example I found. Here’s what I looked for in Google: “secure image upload php”

Here’s what came up:

Personally, I never had to validate images uploaded on the Internet (only “closed” applications, so the security was less of an issue)
So, I think you have a little bit of reading to do :wink:
(Or if you’re lucky, somebody else in the forum already did that and he will give you his advice)

Good luck! Tell me what you came up with! :slight_smile:

which includes the following to validate that the file contains an image

// verify the file is a GIF, JPEG, or PNG
$fileType = exif_imagetype($_FILES["myFile"]["tmp_name"]);
if (!in_array($fileType, $allowed)) {
    // file type is not permitted

One possible way (though I’ve never tested it) would be to use the GD library to create an image from either a gif, jpeg or png file, using the appropriate function, if the function reports a failure, assume the file to be dodgy and delete it

Thank you for all the help. I’ll cobble together the code and test!