Page 1 of 1

uploading file security

Posted: Sat Jul 28, 2007 7:02 pm
by kippy
I was curious what problems do you see with using the following:

$f = $_FILES['uploadedfile']['type'];

then use the result to make sure only jpeg, gif, png files are uploaded?

I also plan to rename the uploaded files, but I want to try and prevent other extensions from even being uploaded.

Posted: Sat Jul 28, 2007 7:17 pm
by Chris Corbyn
Use getimagesize() instead to verify it's an image. Anyone can rename a file extension, or even override the mime type seny by the browser.

Posted: Sat Jul 28, 2007 8:25 pm
by Charles256
This http://www.ourlifeproject.com/?p=8 may be of use. If you don't want to resize the image just pass the original width and height by using http://www.php.net/getimagesize . If they try to upload something other than an image the function will fail and let you know. If that's over your head then just pretend I said nothing. :-D

Posted: Sat Jul 28, 2007 8:29 pm
by kippy
haha...thanks for the help, I will take any advice I can get....security is such a big area and I want to try and find the safest option(s) around....

Posted: Sun Jul 29, 2007 3:55 am
by miro_igov
getimagesize() will pass bmp, tiff etc, kippy asked for "only jpeg, gif, png".

Code: Select all

imagecreatefromjpeg($filename)
will return false if the file is not jpeg.

It has analogs for gif and png files too.

Posted: Sun Jul 29, 2007 8:10 am
by feyd
miro_igov wrote:

Code: Select all

imagecreatefromjpeg($filename)
will return false if the file is not jpeg.

It has analogs for gif and png files too.
Using the image* functions would be a waste of time and memory for this. getimagesize() tells you all sorts of information without eating a lot of memory.. use that.

Posted: Sun Jul 29, 2007 8:33 am
by superdezign
getimagesize() shouldn't be used alone, though. It should be used to determine what the image should be, and then you should handle the image with the appropriate GD function to ensure that it is the same type that it claims to be. I've heard of exploits by hackers on programmers that trust getimagesize() as though the headers of the file are the bottom line for what the contents will be.