PHP Developers Network
http://forums.devnetwork.net/

How to make image uploads safe.
http://forums.devnetwork.net/viewtopic.php?f=34&t=131202
Page 1 of 1

Author:  condoravenue1 [ Sat Aug 20, 2011 10:06 am ]
Post subject:  How to make image uploads safe.

Here is what I use to upload profile pictures to a folder. I know this isn't secure yet. The folder's permission is set to 777 because that is the only way I could make it work.

Let me know what needs to be added/changed to keep hackers away.

Thanks!

Syntax: [ Download ] [ Hide ]
<?php
session_start();
if(!isset($_SESSION['username'])){header("location: ../index.php"); exit();}

$con = mysql_connect("**","**","**");
mysql_select_db("**", $con);

$username = mysql_real_escape_string($_SESSION['username']);

// get extension
if ($HTTP_POST_FILES['uploadedfile']["type"] == "image/gif") {$ext = ".gif";}
if ($HTTP_POST_FILES['uploadedfile']["type"] == "image/png") {$ext = ".png";}
if ($HTTP_POST_FILES['uploadedfile']["type"] == "image/jpeg") {$ext = ".jpg";}

// validate
if ($HTTP_POST_FILES['uploadedfile']["type"] != "image/gif" && $HTTP_POST_FILES['uploadedfile']["type"] != "image/png" && $HTTP_POST_FILES['uploadedfile']["type"] != "image/jpeg") {$valid = "false"; $errors = $errors . "1";}
if ($HTTP_POST_FILES['uploadedfile']['size'] > 3000000) {$valid = "false"; $errors = $errors . "2";}

// if invalid, go to error page
if ($valid == "false"){
header("location: ../error_pages/upload_picture_error.php?why=$errors");
exit();}

// resize, rename, copy to folder
$path = "../profile_pictures/".$username . $ext;
$file_name = $HTTP_POST_FILES['uploadedfile']['tmp_name'];

copy($file_name, $path);
   include('SimpleImage.php');
   $image = new SimpleImage();
   $image->load($path);
   $image->resizeToWidth(100);
   $image->save($path);
$picture = $username . $ext;

$result = mysql_query("SELECT * FROM perm WHERE username = '$username'");
while($row = mysql_fetch_array($result))
{$old_picture = $row['picture'];}

// delete old default picture
unlink("../profile_pictures/".$old_picture);

mysql_query("UPDATE perm SET picture = '$picture' WHERE username = '$username'");

echo '<script type="text/javascript">window.location = "../account.php";</script>';

?>
 

Author:  Christopher [ Sat Aug 20, 2011 12:42 pm ]
Post subject:  Re: How to make image uploads safe.

The first think is to use move_uploaded_file() instead of copy() because it does security checks. See the manual for that function for more info about uploads. There is also a whole section of the manual about Handling file uploads - http://us.php.net/manual/en/features.file-upload.php

Author:  condoravenue1 [ Sat Aug 20, 2011 9:00 pm ]
Post subject:  Re: How to make image uploads safe.

I had to set the permissions of the folder that the files are uploaded into to 777. Is this what it should be?

Author:  Christopher [ Sat Aug 20, 2011 9:26 pm ]
Post subject:  Re: How to make image uploads safe.

I would set the directory to the user that the web server runs as ... and then 700.

Author:  social_experiment [ Sun Aug 21, 2011 9:23 am ]
Post subject:  Re: How to make image uploads safe.

Have a look at these urls, specifically the first one
&

Author:  condoravenue1 [ Tue Aug 23, 2011 3:16 am ]
Post subject:  Re: How to make image uploads safe.


Author:  social_experiment [ Tue Aug 23, 2011 5:52 am ]
Post subject:  Re: How to make image uploads safe.


Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/