uploading file security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kippy
Forum Commoner
Posts: 84
Joined: Wed Jun 07, 2006 8:25 pm

uploading file security

Post by kippy »

I was curious what problems do you see with using the following:

$f = $_FILES['uploadedfile']['type'];

then use the result to make sure only jpeg, gif, png files are uploaded?

I also plan to rename the uploaded files, but I want to try and prevent other extensions from even being uploaded.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Use getimagesize() instead to verify it's an image. Anyone can rename a file extension, or even override the mime type seny by the browser.
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

This http://www.ourlifeproject.com/?p=8 may be of use. If you don't want to resize the image just pass the original width and height by using http://www.php.net/getimagesize . If they try to upload something other than an image the function will fail and let you know. If that's over your head then just pretend I said nothing. :-D
kippy
Forum Commoner
Posts: 84
Joined: Wed Jun 07, 2006 8:25 pm

Post by kippy »

haha...thanks for the help, I will take any advice I can get....security is such a big area and I want to try and find the safest option(s) around....
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

getimagesize() will pass bmp, tiff etc, kippy asked for "only jpeg, gif, png".

Code: Select all

imagecreatefromjpeg($filename)
will return false if the file is not jpeg.

It has analogs for gif and png files too.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

miro_igov wrote:

Code: Select all

imagecreatefromjpeg($filename)
will return false if the file is not jpeg.

It has analogs for gif and png files too.
Using the image* functions would be a waste of time and memory for this. getimagesize() tells you all sorts of information without eating a lot of memory.. use that.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

getimagesize() shouldn't be used alone, though. It should be used to determine what the image should be, and then you should handle the image with the appropriate GD function to ensure that it is the same type that it claims to be. I've heard of exploits by hackers on programmers that trust getimagesize() as though the headers of the file are the bottom line for what the contents will be.
Post Reply