PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
neel_basu wrote:But to know weather its a valid Image or not Reading First few Characters is enough. So if you are dealing really big Images it will take time.
Not very secure that really though is it. Can be easily changed by any one
neel_basu wrote:Ya I've used it before as it returns its original MIME type. Reading its first few characters. But it reads teh total Image to get its height and weight. But to know weather its a valid Image or not Reading First few Characters is enough. So if you are dealing really big Images it will take time.
2 things:
1. The size of the image makes very little difference to the time getimagesize() takes. Try it on a massive image and you'll see.
2. Reading the file header won't tell you if a file is a valid image file ... it could be a file of garbage that happens to have the header matching an image format. getimagesize() goes a bit further and actually checks the format of the file.
Have you ever opened any Valid Image with A Simple text Editor Or a HEX Editor ??
If opened Please see the first 1 line on that editor.
neel_basu wrote://This Function Can Check weather An Image is PNG or BMP or JPEG or Gif Image
//But If you use a Binary file That has PNG or JFIFor GIF or BM. written at the begining
//will Pass this validation . But I dint think that a mal programm can Contain
//Those texts at its begening as those are reserved for Images
neel_basu wrote:Have you ever opened any Valid Image with A Simple text Editor Or a HEX Editor ??
If opened Please see the first 1 line on that editor.
neel_basu wrote://This Function Can Check weather An Image is PNG or BMP or JPEG or Gif Image
//But If you use a Binary file That has PNG or JFIFor GIF or BM. written at the begining
//will Pass this validation . But I dint think that a mal programm can Contain
//Those texts at its begening as those are reserved for Images
Guys, just give up... people just sometimes refuse to listen...
Hey.
I've never told that getimagesize() is bad or Not working. how can a PHP native function be bad.
I was just telling Whats the real fact and how its getting the original MIME type.
onion2k wrote:1. The size of the image makes very little difference to the time getimagesize() takes. Try it on a massive image and you'll see.
I actually focused on the
neel_basu wrote:But to know weather its a valid Image or not Reading First few Characters is enough
I'm not disagreeing with you. You're probably right. If the first line of an image in a hex editor always looks like that, that's fine. getimagesize() can make a similar and probably better check to make sure it's an image; and it's a built-in function.
jayshields wrote:I'm not disagreeing with you. You're probably right. If the first line of an image in a hex editor always looks like that, that's fine. getimagesize() can make a similar and probably better check to make sure it's an image; and it's a built-in function.
Ya in a valid Image It always look like that.
I've looped over 150 Images(PNG, GIF, JPG, BMP) To check.
But I am sorry to make it a bit complex.
neel_basu wrote:Ya in a valid Image It always look like that.
I've looped over 150 Images(PNG, GIF, JPG, BMP) To check.
But I am sorry to make it a bit complex.
<?php
function chk_img($img_path)
{
$filename = $img_path;
$handle = fopen($filename, "r");
$contents = fread($handle, 16);
fclose($handle);
if(strstr($contents, 'PNG') || strstr($contents, 'JFIF') || strstr($contents, 'GIF') || strstr($contents, 'BM.'))
{
return true;
}
else
{
return false;
}
}
echo (chk_img("http://www.ooer.com/onion/amianimage.jpg")) ? "Yes, this is an image." : "No, this is not an image";
echo "<br>";
echo (getimagesize("http://www.ooer.com/onion/amianimage.jpg")) ? "Yes, this is an image." : "No, this is not an image";
?>
Then download http://www.ooer.com/onion/amianimage.jpg and open it in a text editor. To check whether a file is a valid image or not you must check more than just the file header.
neel_basu wrote://This Function Can Check weather An Image is PNG or BMP or JPEG or Gif Image
//But If you use a Binary file That has PNG or JFIFor GIF or BM. written at the begining
//will Pass this validation . But I dint think that a mal programm can Contain
//Those texts at its begening as those are reserved for Images
Yes. If you're validating whether something is an image or not that's pretty important. Using a function that will say something is an image when it isn't is just plain wrong.
A different Question not part of this topic
Is it possible to make such a jpg file that can harm System if Parsed as an image File ?? Cause parsing a jpg file means there is another programm that reads the Bit patterns of that file It doesn't executes that files at all ??
neel_basu wrote:A different Question not part of this topic
Is it possible to make such a jpg file that can harm System if Parsed as an image File ?? Cause parsing a jpg file means there is another programm that reads the Bit patterns of that file It doesn't executes that files at all ??
So it may affect that programm that is reading it and if it makes any harm in system thats By that programm. So If just opened http://localhost/image.jpg its not directly interacting with any programm then it cant make any harm in the Server.
Am I right ??
neel_basu wrote:So If just opened http://localhost/image.jpg its not directly interacting with any programm then it cant make any harm in the Server.
In order to run the buffer overflow exploit you'd have to view the image, so something on a server opening the image (like PHP with GD2, or imagemajick or something) should be safe. However, you don't just have images uploaded to the server and end there. You do something with them. Usually that's serving them as part of your website or letting users download them. If a user viewed or downloaded an image that was infected with something nasty that could seriously damage your business.
At the end of the day it's very simple: use getimagesize() to validate images. Don't rely on the file header because it might pass that check and still not be a valid image. Your chk_image() function is not good enough.