So if you look at the article
http://blog.insicdesigns.com/2009/01/se ... lications/
there are a few measures discussed, one by one not enough.
Checking of mime type
Code: Select all
if($_FILES['userfile']['type'] != "image/gif") {
echo "Sorry, we only allow uploading GIF images";
exit;
}Image file content verification
Code: Select all
$imageinfo = getimagesize($_FILES['userfile']['tmp_name']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg') {
echo "Sorry, we only accept GIF and JPEG images\n";
exit;
}File name extension verification
Code: Select all
$blacklist = array(".php", ".phtml", ".php3", ".php4");
foreach ($blacklist as $item) {
if(preg_match("/$item\$/i", $_FILES['userfile']['name'])) {
echo "We do not allow uploading PHP files\n";
exit;
}Now you talked about an alternative way of allowing (and securing) uploads and that is by uploading them to a different domain. I am still not quite sure what exactly that should prevent and how. And, what one should do if you do not have access to multiple domains.
[edit:]
Maybe it's best for the discussion to talk about two different things:
1) first, in which ways uploaded images (and files) can be misused. executing a malicious php command is something different from doing something with a browser flash plugin.
2) second, how to prevent these problems.