Page 1 of 1

Image uploads/creating images

Posted: Sun Dec 16, 2007 4:13 pm
by newbie2php
Hi all,

I am currently looking into image upload scripts, and the security around allowing users to do so.

There seems to be quite a few methods, some more secure then others.

I looked into image generation in PHP, and how you can reproduce an image based off another image.

My question - if I produced a script that took the image uploaded by the user, and then resaved this image (type depending on which type they uploaded) using PHP - would this not ensure that we are only uploading images and not risky user files?

e.g imagecreatefromgif($tempname)

Maybe also some slight resizing too, is the image is over a certain dimension.

Any feedback regarding this, and image upload would be great

Thanks

Posted: Sun Dec 16, 2007 4:54 pm
by John Cartwright
My question - if I produced a script that took the image uploaded by the user, and then resaved this image (type depending on which type they uploaded) using PHP - would this not ensure that we are only uploading images and not risky user files?
Have you tried it? There is no better way to learn than for yourself. Better yet, let us know. An alternative may be to simply use getimagesize() to determine whether the file is actually an image or masked as one. Careful though, getimagesize() can be tricked.
Maybe also some slight resizing too, is the image is over a certain dimension.
Indeed, this is common practice.

Posted: Sun Dec 16, 2007 5:19 pm
by superdezign
Using GD as you have described is good, but you should check the file type data first anyway.