Page 1 of 1

Image Uploader and false images!

Posted: Tue Jun 27, 2006 6:28 pm
by izone
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hello,

I've a script to use for my image uploader and it works great, but if you change ext. for a php file (for example) to jpg it doesn't reconized that the file acctually is not an image file. I'm worry about the security of my site and appreciate if some one here could help me to make some changes to it. 

Here is my upload.php file:


Best Regards.


[color=red][b]feyd[/b] | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Tue Jun 27, 2006 6:39 pm
by Robert Plank
Look up getimagesize() function. You can run the filename through getimagesize() and it will return false if it's not a real image.

Posted: Wed Jun 28, 2006 5:30 am
by izone
First of all, I apologize for not right code tag in my post and thanks for telling me about that.
Robert Plank wrote:Look up getimagesize() function. You can run the filename through getimagesize() and it will return false if it's not a real image.
And thank you Robert Plank for your help. But could you please show me a place in my codes abov to put this code to? I am new on this and don't know how to handle it.

Regards.

Posted: Wed Jun 28, 2006 7:34 pm
by Robert Plank

Code: Select all

if (@getimagesize($_FILES['attached']['tmp_name']) === FALSE) {
   // not an image
}

Posted: Thu Jun 29, 2006 3:03 pm
by izone
Robert Plank

Thank you very much for that. It works now great and more secure.