Im building a photo selling website. In it, I thought of scanning each and every photo users upload using clam (after uploading). This takes time and adds some load to the server. Is this a good idea or is it unnecessary?
Never heard of clam before, what are you scanning for? If you’re scanning to make sure the photos are original, perhaps you can make use of the Google Image Search API or TinyEye.
Clam is a virus scanner. Trying to scan for malware
Can you link to an article or anything else that cites images as being a source of malware?
I know it is possible to hide code in images, but to the best of my knowledge, this involves the person viewing the image to be complicit in extracting and running the malicious code.
I also know that you can target image viewers with security vulnerabilities in this way, but if that is what you are trying to protect against, then I would have thought it would be better to keep your programs up-to-date.
1 Like
You can imbed php into jpg images and I believe some shell? code into png images. I doubt this would be picked up by a virus scanner.
You will need to remove that code on upload as when the image is viewed the code can be run. It my not infect the user but it could mess up your server.
So yes you do need to “scan” the images on upload and use some .htaccess to protect your server. If the user downloads an image that has a problem and puts it on their server they would not be very happy!
I was involved in some discussion about this a few month’s ago; search the forum.
1 Like
How to remove bad code like that? Im not using PHP, using Rails.
I do not know anything about Rails. In php there is a graphics library called GD and one method is to read the image and create it again. You would have to search for the method but it automatically removes the php code in jpg’s.
In Imagemagick which is available to Ruby you can use strip to remove the EXIF data and or save it as a png as png does not support EXIF data.
I would have a search of Google ( image code injection ) to find some answers; I think the png code injection is harder to prevent but if you do not allow png uploads that would not be a problem.
One big problem here is that we need EXIF data 
All EXIF data? If you only need certain fields you could strip everything except the fields you need (or it may be easier to copy the fields you need, strip the image, then write the copied fields back).
I don’t think that code in an image can actually harm your server unless you’re parsing the image E.g. in PHP include(img.jpg) could be harmful but readfile(img.jpg) should be okay.
Can you please kindly tell me what those two functions do? (include and readfile) (Im not a php person 
). And thanks for the suggestion. I should consider it!
So if there’s malicious code in EXIF, what if we read EXIF data? So if there’s malicious code in EXIF, what if we read EXIF data? (My site read them and store some in the database) (My site read them and store some in the database)
The php online manual is always a good place to start:
http://php.net/manual/en/function.include.php
http://php.net/manual/en/function.readfile.php
It may not mess up the OP’s website @djeyewater bit if a user buys a photo from him they will be a little pissed off if it messes up theirs.
So you didn’t do a Google or forum search as I suggested. If you had you would have found a lot of ready available information along with a couple of jpg files you could test and see what happened.
1 Like
Will do. Thanks 
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.