Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
It looks like you are doing the basics -- especially using move_uploaded_file(). You might also want to do a little more filtering on $imgname. but I don't know if it is necessary as PHP does some checks. Also see the manual:
also check for the upload file size, many people simply type in random filenames in the file input thus making loads of dead files on your server.. check it has a filesize greater than X (atleast 0) and this alleviates that from happening
nathanr wrote:also check for the upload file size, many people simply type in random filenames in the file input thus making loads of dead files on your server.. check it has a filesize greater than X (atleast 0) and this alleviates that from happening
How do I check for the filesize, like making sure its not too big or too small?
nathanr wrote:also check for the upload file size, many people simply type in random filenames in the file input thus making loads of dead files on your server.. check it has a filesize greater than X (atleast 0) and this alleviates that from happening
How do I check for the filesize, like making sure its not too big or too small?
the filesize for each uploaded file is available in the $_FILES['inputname']['size'] where inputname was the name of the <input type="file" name="inputname">
nathanr wrote:also check for the upload file size, many people simply type in random filenames in the file input thus making loads of dead files on your server.. check it has a filesize greater than X (atleast 0) and this alleviates that from happening
How do I check for the filesize, like making sure its not too big or too small?
the filesize for each uploaded file is available in the $_FILES['inputname']['size'] where inputname was the name of the <input type="file" name="inputname">
That's not a security hole, but a security abyss. Try uploading a file called "backdoor.php" and see what I mean
Never, ever, use user-submitted data, such as $_FILES['image_file']['name'] for a target filename.
There are too many issues with securing uploads, but the simplest secure solution is to generate your own random name with a strictly image-only extension (randomname.jpg for example). You can use a graphic library to recognize the image type (gif/jpg/png etc.), and force the extension (after the randomly generated name) to the proper one.
Mordred wrote:That's not a security hole, but a security abyss. Try uploading a file called "backdoor.php" and see what I mean
Never, ever, use user-submitted data, such as $_FILES['image_file']['name'] for a target filename.
There are too many issues with securing uploads, but the simplest secure solution is to generate your own random name with a strictly image-only extension (randomname.jpg for example). You can use a graphic library to recognize the image type (gif/jpg/png etc.), and force the extension (after the randomly generated name) to the proper one.
What code would I use to do the renaming and extension forcing stuff?
You need to:
1. Determine the type of the image (jpg/gif/png, whatever) - there are many ways, maybe getimagesize()/image_type_to_extension() will give you the proper extension to use.
2. Generate a random name, to properly do so - in a loop generate a name until a check if "random_filename.ext" exists says "no"
3. For full paranoia mode - upload the images in a separate folder, with a .htaccess file that disables the php engine.