phppup

I've got this working thanks to everybody that's assisted. Now I've got a more academic question: what exactly is $im = imagecreatefromjpeg($file); doing when it runs? More directly, suppose a malicious actor places evil code into a jpeg file that passes thru this function. Will the file always fail? Or is it more prudent to continue with: $file = $im; //overwrite with $im Because $im will somehow be 'cleansed' of the evil code that had been inserted. Is continuing with $file safe if it passed this examination? I'm trying to understand the inner workings, especially since I'm using this more as a security measures than a file reproduction method.

@kicken Thanks for the insight. I think/hope that I've got that figured out already, but I'll re-examine again. I've been trying to cover that case too. Perhaps I'll need a new thread, but I found it quite revealing while working on "file sanitization" when I discovered that Lil Bobby Tables could access my data. I've run tests where I added ?file=../../etc/passwd To the end of a php URL, but gotten nothing unexpected. Am I just lucky? Already secure? Or a bad hacker? How can I trigger a negative result to help me implement a more positive security protocol?

@gizmola Good information So essentially, if hosting a fun friendly site, the SESSION can remain active to greet the user every time they visit the website? But what if more security is desired, like a page with banking information? What's the best way to handle a log out and elimination of the session? Will this also eliminate the cookie?

What is it that I (might not) be seeing? What potential problems am I inviting? Or is this just a macho induced control issue? If a sub-folder named userDirs is designated for users to create folders with names that they want, where is the harm? If a user creates folder "puppy" and instead I initiated the new folder 345 (but I equate 345 to puppy), they will still see a URL path /blah/blah/userDirs/345, right? So a hacker will not have been stalled, will they? If the folder is not allowed to contain any . $?<>/ shouldn't that protect me? Or perhaps limiting name size and allowing only alphanumerics is better? I still feel like I'm missing a valuable piece to the puzzle. Insight, please.

At this point I think I'd better just stick with the areas that have problems I can overcome. Perhaps later I'll research the "private" aspect. I guess my initial thinking wasn't totally off-base. If I've VALIDATED the file fully, and changed the name anyway, then any malicious efforts should be nullified. So even if a bad intent were initiated, it should be defused. But why not let a user name a directory? Clearly locating the folder contents is not the issue? Placement? If I have a designated destination and RegEx naming requirements implemented, is there still a risk that I'm not seeing?

You're not seeing error messages because the are NOT being ECHOed. In order to display a message in PHP it needs to resemble: echo "now I see my message"; (The quoted text will be displayed.)

From what I've learned, server validation (with PHP) is the safeguard. Client-side (like JS) is prettier and more user friendly, but also unreliable since it can be easily altered or removed. Use both as applicable and practical. As for your actual issue, there are likely several approaches that could be useful. To me, the most obvious would be that you are using a variable $error. $error has several messages depending on the input you are validating. It seems to be an exciting constant throughout your script. Do why not utilize it with something like Essentially, your trolling PHP that every error provides a message, so unless there are no messages, do not process. If $error is empty (the way it started without being diverted) then there are no messages, which means no errors, and it's then safe to proceed. You can use a similar technique with JavaScript.

Am I looking for solutions when no problem exists? I really thought I read something about a security risk in letting the directory that was home to images become visible. There was certainly a cautionary note to NOT let users name directories. I assumed that this (like the name of a file) was to prevent access (if a malicious file were uploaded). If none of this matters, why not allow a user to name a folder and retain image names? After all, access to the images will be readily available anyway, right? Am I not making an obvious connection here?

I want to allow users to upload images and then create a gallery. I am already checking file extension and taking other measures to ensure that the file is in fact a real image. I am changing the image name, so that even if the file is malicious, it is not easily accessible. But I'm not sure of the best way to display the images afterward. If images are uploaded to the XYZ directory, is it wise to display them from that location? Is it insecure for an image to be viewed from /blah/blah/blah/XYZ/renamedimg.jpg ? What is the safest way to approach this?

I thought that after a fully sanitizing scrub of uploaded images, a simple display gallery would suffice. Then I was advised to change image names and rename directories for added security. Yet after all these precautions, it seems it's still insecure to exhibit user images? I recall a suggestion to have images SERVED (rather than using HTML <img> tag), but cannot find a method, starting point, or clear rationale for this. Guidance, advice, and insight to point me in the right direction, please.

@maxxd I stand corrected. Although I did say: I probably should have been more careful. Thanks for setting things straight.

I've got a better idea, since you've stated: Why don't you give me a reasonable solution to my issue in the form titled "imagecreatefromjpeg failure"? That would make you a helpful contributor.

I think you need to understand how websites are built. But it's late and I'm tired, and I still cannot figured out why only some of my images cause an error on upload. Nonetheless, we put files into folders. For the most part, there is a logical method so that WE can find them to edit, update, etc. My webpage is my grocery cart. It has ice cream and meats and fruits and vegetables. I TRY to bag my items so the stuff for the freezer, fridge, pantry, and fruit bowl are nicely organized. Sometimes the bags get too full, often I get confused, occasionally items spill into other bags. And maybe I get candy. As long as everything makes it home, I'm happy. And as long as my web link gets the user to the right page, I really don't care if the can of soup is in with the frozen food.

I clicked on a link: www.beautifulgirls/must_see I thought they were ugly and wish I hadn't looked. Should I complain about the link address or the content of the webpage? Consider wisely, and apply accordingly.

How is that possible if the other two test files originate from the same folder? Clearly it (and the path) exists. How can I drill down for a deeper explanation? Also, I've realized that some images do not refresh unless browser history / cache is cleared. Research send to point to using no-cache headers or a flush directive. What is the best/suggested method?

Glad I could help.

From my experience (which is much less extensive than Barand's) double quotes as single quotes are mostly, but NOT ALWAYS, a matter of personal preference. There are definitely guidelines for dealing with strings and certain other specifics, but GENERALLY, either one will accomplish a task (as long as you remain consistent in your usage). To dissect your example: $var = 'value'; //since value is a non-numerical text the quotes are required echo 'value'; //simply tells PHP that you want the text inside the quotes to be displayed echo '$var'; //indicates that you want the item in the quotes (which translates to a variable value, in this case) to be displayed. echo " 'var' "; //would tell PHP to display the text value surrounded by the first set of quotes (the double quotes) and the $ will inform PHP to use the variable The expected result would be 'var' (although you may trigger an error bc you didn't handle the single quotes as special characters) Taken further, if you coded: echo "The variable 'var' is a test"; //it would display the exact sentence WITH the awkward spacing. echo 'The variable "var" is a test'; //would duplicate above BUT echo "The variable '$var' is a test"; //would INTEGRATE the text and the VARIABLE with the result of: The variable 'value' is a test echo "The variable ". $var . " is a test"; //would INTEGRATE the text and the VARIABLE with the result of: The variable value is a test Best if you play around with the variations on your own. And then follow up with error checking and handling of special characters.

I'm no guru, but it looks like I'm the only one around right now, so I'll say this: I believe you need quotation marks around the item in parentheses. Try fixing that on a variable and see if anything changes.

I've cleaned up a few things, but this error message remains: Warning:....failed to open stream: No such file or directory in... I am simultaneously uploading three jpeg files from the same folder during my development / testing and this is the ONLY image that is being rejected. Reason? Explanation? Solution? Thanks.

For 1 - okay. How can I force an error message just to see how it appears? For 2 - ok, but why does echo $im; Give me the string beginning with Resource? (I honestly wasn't expecting that result). How can I go deeper to determine WHY a (perfectly good) image failed?

My messages that seem in conflict with the result are Is there a way to validate WHY this result was given by the function?

After working with the sample imagecreatefromjpeg provided in the PHP manual, I successfully got a result (after clearing my cache) from I've gotten a good education after navigating this function over the past week, and loaded it with ECHO messages to give me insight. Everything was going fine. And then, this ONE test image came along. Apparently, the image (which is as good aj peg as I can find) FAILS the if(!im) test. When I used echo $im; i discovered that when images pass through the function, they receive a "Resource" name. Images that FAIL are NOT named. This image gets a Resource name, yet FAILS. Is there a problem with my logic? A problem with the image? What would cause this? How can I verify?

There's LOTS of stuff online about arrays. And you aren't going to do better than Barand. If you've already got an established array, you might try using print_r() [there are online resources to explain it's functionality]. This will give you a visual representation that may help you understand the arrays design. Don't forget that arrays begin with zero (ie: my_array[1] is the SECOND item). The first item WITHIN my_array[1] would be found by using my_array[1][0] Finding the third item in an assortment within my_array[1][0] would be accomplished with my_array[1][0][2] Etc, etc, etc. Or, if you hate arrays, why not use a variable for each question? $question1 = "who"; $question2 = "when"; $question2a = "when in morning"; $question2b = "when at night"; $question3.….. etc.

Or you could simply say: Your session will expire in X hours from the time of this email. Then it's on them. LOL (a little sneaky, but Hey, it'll work and also remove complications on your end)

AWESOME. Glad we could help.