Resize embed image uploaded phpmailer?

grigione · September 3, 2017, 11:14am

first of sending email with phpmailer
$mail->AddEmbeddedImage($_FILES['uploaded_file']['tmp_name'], 'uploaded_file',$_FILES['uploaded_file']['name']);
i want resize uploaded photo so i have tried to set (dimension 512x288)
$myphoto="<img src='cid:uploaded_file'/>";
with
$myphoto="<img height='288' width='512' src='cid:uploaded_file' />";
but it don’t work

Thanks

Rubble · September 3, 2017, 3:56pm

All you are doing is resizing the image view not the actual image. You will need to use GD or Imagemagick to resize the image. I would select the image, resize it and save to a temporary location, add it to the email and delete the temporary version.

grigione · September 3, 2017, 4:32pm

ok… i’m tryng but ii’m lost in code

// Create image from file
switch(strtolower($_FILES['uploaded_file']['type']))
{
        case 'image/jpeg':
                $image = imagecreatefromjpeg($_FILES['uploaded_file']['tmp_name']);
                break;
        case 'image/png':
                $image = imagecreatefrompng($_FILES['uploaded_file']['tmp_name']);
                break;
        case 'image/gif':
                $image = imagecreatefromgif($_FILES['uploaded_file']['tmp_name']);
                break;
        default:
                exit('Unsupported type: '.$_FILES['uploaded_file']['type']);
}

// Delete original file
@unlink($_FILES['uploaded_file']['tmp_name']);


// Target dimensions
$max_width = 512;
$max_height = 288;


// Calculate new dimensions
$old_width      = imagesx($image);
$old_height     = imagesy($image);
$scale          = min($max_width/$old_width, $max_height/$old_height);
$new_width      = ceil($scale*$old_width);
$new_height     = ceil($scale*$old_height);


// Create new empty image
$new = imagecreatetruecolor($new_width, $new_height);


// Resample old into new
imagecopyresampled($new, $image, 
        0, 0, 0, 0, 
        $new_width, $new_height, $old_width, $old_height);

22/5000
I do not know how to go on …

spaceshiptrooper · September 3, 2017, 4:47pm

No. This will not work. You basically delete the temp file which you actually need because that’s the only one you can actually touch and see information on. When you delete the temp file, you no longer have the file’s dimensions unless you have a session set to keep those dimensions. But I would consider this as bad practice. Your function also is useless. I would never allow people to upload arbitrary files to my server until I know for sure what that file is. You are basically checking the mime type of the file extension. This is entirely not safe. What if someone changes a malicious file to .jpg? Some people think it’s ok to white list extensions, but no, it’s not. Allowing a whitelist would basically allow anyone to upload any file. Even if it’s not a legitimate image file. This in turn will create broken images which would make your uploading system be useless because the fact that you designed it poorly. Also, you discarded the temp file then try to create a new file from scratch. I have no idea what you are trying to do.

I suggest using a library for resizing.

marklenon95 · September 3, 2017, 5:36pm

To prevent malicious code from being executed within image you need to re-create image.

spaceshiptrooper · September 3, 2017, 6:15pm

That’s why you check to see what kind of file it is by checking the mime type of the tmp file? The tmp file contains the ACTUAL mime type.

If you were to create a malicious file say malicious_file.php, write a bunch of garbage in it. Then you upload that file. The original mime type of that file will be text/html. Change that malicious file to malicious_file.jpg or even malicious_file.php.jpg, and upload it to your uploading system. That original mime type will be text/html. The type of the file extension will be image/jpg. Do you see what is wrong with this picture? The original mime type is text/html, but the type you are checking against is image/jpg. The original mime type will remain the same no matter what. So if I were to change it to malicious_file.xml, the original mime type would still be text/html. However, the type of the file extension will be application/xml. This means that the type of the file extension will always change based on the file extension.

You do not want to do that. What you want to do is check the mime type of the tmp file. When you have a legitimate image file, it will always remain image/jpg, image/jpeg, image/gif, or image/png. This means no matter what, if you change a legitimate image file from good_file.jpg to good_file.php, that file will always have the mime type of image/jpg if that file is a legitimate image file. It will also fail the function checking the OP has in place because it doesn’t have the right type of mime type which is image/jpg. The file extension shouldn’t matter if the mime type of the original file is legitimate.

With the system the OP has right now, he is allowing arbitrary files to be uploaded. Not only is this a security hazard, but it is also just pure bad practice. You are also doing double the work to achieve the same result. By just checking the mime type of the tmp file, you allow a more secure and safe way of uploading.

Don’t take my word for it. Try this same method on Facebook, the social media giant who basically hire hundreds of PHP users who know what they are doing. Not only do they specialize in PHP, they are always checking for security risks and pay a lot of money for anyone who finds exploits for them.

I dare you to do this method on Facebook. Create a malicious file and upload it to Facebook. Then change that file to have .jpg as the ending file extension. Do you see and wonder why your malicious file won’t go through even though you changed it to .jpg? That’s because they CHECK for mime type on the tmp file. If they were to check the mime type of the file extension, obviously that would be an exploit anyone can use and hack Facebook.

People who push support for whitelisting file extensions are the ones that keep this legacy up. This is an entirely dangerous thing to do and would highly likely be an exploit that people can use. I would never suggest whitelisting file extensions nor suggest any kind of system like this. This is pure bad design and outright dangerous.

Rubble · September 3, 2017, 6:55pm

It is not as simple as just checking the Mime type either as you can inject php code into a jpg file. The first website I found with the info: php injection into jpg file. It will still be a valid jpg file.

EDIT: I forgot to say converting a jpg to a png should get rid of the php code ( does in imagemagick ). But png images can also carry bad code in the “Chunks”. I believe using -strip in later versions of Imagemagick should remove the Chunks although I have not tested it.

I have no idea how GD deals with the problem.

spaceshiptrooper · September 3, 2017, 7:19pm

Yes. However, you are less of a sitting duck than if you were to whitelist a list of file extension. Whitelisting is pretty much the equivalent to installing a Windows operating system and leaving it as default instead of installing an anti-virus. Where as, checking the mime type of the tmp file is equivalent to installing an anti-virus on your Windows operating system. Even though it might not be enough protection, at least you know that you aren’t just a sitting duck.

Rubble · September 3, 2017, 7:24pm

I was not criticising and agree with your reply @spaceshiptrooper

I believe you need as many checks as you can think of and did not want the user to think checking the mime types only would keep them safe. I also mentioned it as it may be of interest to other people reading this thread.

marklenon95 · September 3, 2017, 8:02pm

You didn’t understand me, I’ve never said that file extensions should be whitelisted, as you said file extension can be faked.
I said if you want to protect from executing malicious code forged inside image, you should re-create image because valid image can still hold malicious code and thats all.

Or maybe I didn’t understand you.

Best regards!

Rubble · September 3, 2017, 8:23pm

Not a lot of help @grigione but it would be so much simpler with Imagemagick.

Anyway I do not use GD but this is some old code of mine before I changed to Imagemagick which might get the thread back on track:

To keep the aspect ratio based on the original image width:

// Temporary upload image name
$original_image = '../original_images/flowers.jpg';
// Get the image dimensions
$size=GetImageSize( $original_image );
// Maximum image width
$max_width = '100';
// Maximum image height
//$max_height = '100';
$ratio = 100/$size[0];
$max_height = $size[1]*$ratio;
// Resize the image and save		
$src_img = ImageCreateFromJPEG( $original_image );
$thumbnail = ImageCreateTrueColor( $max_width, $max_height );
ImageCopyResampled( $thumbnail, $src_img, 0, 0, 0, 0, $max_width, $max_height, $size[0],$size[1] );
ImageJPEG( $thumbnail, 'flowers_GD.jpg' );
ImageDestroy( $thumbnail );

I would work on a static image to get the resize code working. Other wise you will have to keep going through the form every time you want to test it.

grigione · September 4, 2017, 6:26am

at the end i have used library: phpimagemagician
http://phpimagemagician.jarrodoberto.com/index.html

$info = pathinfo($_FILES['uploaded_file']['name']);
 $ext = $info['extension']; // get the extension of the file
 $newname = "uploadedphoto.".$ext;

 $target = 'images/'.$newname;
 move_uploaded_file( $_FILES['uploaded_file']['tmp_name'], $target);


$imageLibObj = new imageLib($target);


$imageLibObj -> resizeImage(512, 288, $option=3, $sharpen=false);

$imageLibObj -> saveImage('images/myphoto.'.$ext , 100);

  $myphoto="<img src=\"cid:myphoto\" ALT=\"picture descr\">";


$mail->AddEmbeddedImage('images/myphoto.'.$ext.'', 'myphoto','images/myphoto.'.$ext.'');

if you have a library that is better suggest Thanks

system · December 4, 2017, 1:26pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.