phppup

@kicken Thanks for clarifying that for me. Thankfully, my understanding wasn't/isn't that far off, although my terminology may have been a little murky. So how can I display an image as just 1s and 0s in a browser? And to my REAL question, what is the preferred/default method of interpretation for PHP? (Am I correct that images are essentially meaningless to PHP for display purposes? ECHO $img; is worthless [until HTML intervenes to help translate with an <img> tag] It's like a memo being passed thru the United Nations assembly. It is written in plain English, but the note needs to be interpreted depending on the recipient. And for some, the message will never be clear. [No political innuendo intended. LOL]) So what is being displayed from the file_get_contents($image) result?

Unfortunately not a single search result had offered a sentence that elaborates to say "...displays the contents in language XYZ." Nor does any site elaborate on that manner regarding "creating an image", "image code", et al. I assume it all begins with binary, but references to hex, base, etc. seem almost arbitrary without a foundational resource. Ya got that right. But i think I've been understanding and learning more, thanks to the help I've gotten here. At this point "the forest" will probably take care of "the trees" since I'm hopefully disarming ill-intended code with other measures already. This "last thought" seemed like a reasonable idea, if for no other purpose, than to alert me of a potential attack (rather than actually prevent it).

But might it be a start? Stopping even a single 'bad actor' seeems worthwhile. Still, if I echo file_get_contents($image_path); what am I seeing? ASCII? Hex? Other? How do I clean it up to view it properly (in its entirety)? Is it the same for jpg , png, bmp, etc?

Does someone like this seem like a practical and effective effort? Limitations? Potential problems? Sensible?

@requinix THANK YOU. Very enlightening. I think I have most precautionary measures covered adequately, but the more I read, the higher my stress level climbs. Granted there are some articles/blogs that are just inaccurate, misleading, or completely wrong; and I thank you for helping me sort them out from the valid resources and information. I've seen recommendations to encode images to base64. Or decode to hex. Or transform into a string. All suggesting that analyzing the file in this way could facilitate in detecting hidden scripting: Are any of these ideas worth considering? Effective? And then I stumbled across blobs, but thankfully, I don't see that as my preferred pathway.

id = "uploaad" ???? Did you want TWO letter AAs? Easier to fix it now before problems (if it was a typo).

I've been surfing the web and reading various articles, and probably have more questions than answers, so any guidance or direction to resources will (hopefully) be useful. I'm trying to connect the dots to more adequately understand the security issues within uploading image files. From its inception, light hits a camera sensor and an image is created. Is it in binary form? ASCII? Other? Now suppose additional code is added to the image. (For this example, let's say it's a simple script that says Hello - which I suppose would STILL be considered malicious). If it's simply placed into the image code, how can I open the image (as the recipient) to see the code in its TEXT form? (I'm assuming that the code would need to be activated either by clicking the script or calling the code in order to actual function) And if the code is hidden or camouflaged by using an alternate character set, how would it be translated from the unnoticeable character set into something more meaningful in order to perform?

I guess it depends on what is being examined (and retained) by imagecreatefromjpeg(). Surely it's examining more than just the file extension to determine whether true or false. And if an image does PASS (as true) but contains malicious code, is it nullified? Suppose I take a 10 kb jpeg and incorporate 1 MB of evil scripting. The uploaded file is now the size of that sum, right? What size will it be after running through imagecreatefromjpeg? Does the process evaluate the file and eliminate/erase/void pieces that are not color/image related?? (Maybe I should learn to hack so I can test it myself, LoL)

I've got this working thanks to everybody that's assisted. Now I've got a more academic question: what exactly is $im = imagecreatefromjpeg($file); doing when it runs? More directly, suppose a malicious actor places evil code into a jpeg file that passes thru this function. Will the file always fail? Or is it more prudent to continue with: $file = $im; //overwrite with $im Because $im will somehow be 'cleansed' of the evil code that had been inserted. Is continuing with $file safe if it passed this examination? I'm trying to understand the inner workings, especially since I'm using this more as a security measures than a file reproduction method.

@kicken Thanks for the insight. I think/hope that I've got that figured out already, but I'll re-examine again. I've been trying to cover that case too. Perhaps I'll need a new thread, but I found it quite revealing while working on "file sanitization" when I discovered that Lil Bobby Tables could access my data. I've run tests where I added ?file=../../etc/passwd To the end of a php URL, but gotten nothing unexpected. Am I just lucky? Already secure? Or a bad hacker? How can I trigger a negative result to help me implement a more positive security protocol?

@gizmola Good information So essentially, if hosting a fun friendly site, the SESSION can remain active to greet the user every time they visit the website? But what if more security is desired, like a page with banking information? What's the best way to handle a log out and elimination of the session? Will this also eliminate the cookie?

What is it that I (might not) be seeing? What potential problems am I inviting? Or is this just a macho induced control issue? If a sub-folder named userDirs is designated for users to create folders with names that they want, where is the harm? If a user creates folder "puppy" and instead I initiated the new folder 345 (but I equate 345 to puppy), they will still see a URL path /blah/blah/userDirs/345, right? So a hacker will not have been stalled, will they? If the folder is not allowed to contain any . $?<>/ shouldn't that protect me? Or perhaps limiting name size and allowing only alphanumerics is better? I still feel like I'm missing a valuable piece to the puzzle. Insight, please.

At this point I think I'd better just stick with the areas that have problems I can overcome. Perhaps later I'll research the "private" aspect. I guess my initial thinking wasn't totally off-base. If I've VALIDATED the file fully, and changed the name anyway, then any malicious efforts should be nullified. So even if a bad intent were initiated, it should be defused. But why not let a user name a directory? Clearly locating the folder contents is not the issue? Placement? If I have a designated destination and RegEx naming requirements implemented, is there still a risk that I'm not seeing?

You're not seeing error messages because the are NOT being ECHOed. In order to display a message in PHP it needs to resemble: echo "now I see my message"; (The quoted text will be displayed.)

From what I've learned, server validation (with PHP) is the safeguard. Client-side (like JS) is prettier and more user friendly, but also unreliable since it can be easily altered or removed. Use both as applicable and practical. As for your actual issue, there are likely several approaches that could be useful. To me, the most obvious would be that you are using a variable $error. $error has several messages depending on the input you are validating. It seems to be an exciting constant throughout your script. Do why not utilize it with something like Essentially, your trolling PHP that every error provides a message, so unless there are no messages, do not process. If $error is empty (the way it started without being diverted) then there are no messages, which means no errors, and it's then safe to proceed. You can use a similar technique with JavaScript.

Am I looking for solutions when no problem exists? I really thought I read something about a security risk in letting the directory that was home to images become visible. There was certainly a cautionary note to NOT let users name directories. I assumed that this (like the name of a file) was to prevent access (if a malicious file were uploaded). If none of this matters, why not allow a user to name a folder and retain image names? After all, access to the images will be readily available anyway, right? Am I not making an obvious connection here?

I want to allow users to upload images and then create a gallery. I am already checking file extension and taking other measures to ensure that the file is in fact a real image. I am changing the image name, so that even if the file is malicious, it is not easily accessible. But I'm not sure of the best way to display the images afterward. If images are uploaded to the XYZ directory, is it wise to display them from that location? Is it insecure for an image to be viewed from /blah/blah/blah/XYZ/renamedimg.jpg ? What is the safest way to approach this?

I thought that after a fully sanitizing scrub of uploaded images, a simple display gallery would suffice. Then I was advised to change image names and rename directories for added security. Yet after all these precautions, it seems it's still insecure to exhibit user images? I recall a suggestion to have images SERVED (rather than using HTML <img> tag), but cannot find a method, starting point, or clear rationale for this. Guidance, advice, and insight to point me in the right direction, please.

@maxxd I stand corrected. Although I did say: I probably should have been more careful. Thanks for setting things straight.

I've got a better idea, since you've stated: Why don't you give me a reasonable solution to my issue in the form titled "imagecreatefromjpeg failure"? That would make you a helpful contributor.

I think you need to understand how websites are built. But it's late and I'm tired, and I still cannot figured out why only some of my images cause an error on upload. Nonetheless, we put files into folders. For the most part, there is a logical method so that WE can find them to edit, update, etc. My webpage is my grocery cart. It has ice cream and meats and fruits and vegetables. I TRY to bag my items so the stuff for the freezer, fridge, pantry, and fruit bowl are nicely organized. Sometimes the bags get too full, often I get confused, occasionally items spill into other bags. And maybe I get candy. As long as everything makes it home, I'm happy. And as long as my web link gets the user to the right page, I really don't care if the can of soup is in with the frozen food.

I clicked on a link: www.beautifulgirls/must_see I thought they were ugly and wish I hadn't looked. Should I complain about the link address or the content of the webpage? Consider wisely, and apply accordingly.

How is that possible if the other two test files originate from the same folder? Clearly it (and the path) exists. How can I drill down for a deeper explanation? Also, I've realized that some images do not refresh unless browser history / cache is cleared. Research send to point to using no-cache headers or a flush directive. What is the best/suggested method?

Glad I could help.

From my experience (which is much less extensive than Barand's) double quotes as single quotes are mostly, but NOT ALWAYS, a matter of personal preference. There are definitely guidelines for dealing with strings and certain other specifics, but GENERALLY, either one will accomplish a task (as long as you remain consistent in your usage). To dissect your example: $var = 'value'; //since value is a non-numerical text the quotes are required echo 'value'; //simply tells PHP that you want the text inside the quotes to be displayed echo '$var'; //indicates that you want the item in the quotes (which translates to a variable value, in this case) to be displayed. echo " 'var' "; //would tell PHP to display the text value surrounded by the first set of quotes (the double quotes) and the $ will inform PHP to use the variable The expected result would be 'var' (although you may trigger an error bc you didn't handle the single quotes as special characters) Taken further, if you coded: echo "The variable 'var' is a test"; //it would display the exact sentence WITH the awkward spacing. echo 'The variable "var" is a test'; //would duplicate above BUT echo "The variable '$var' is a test"; //would INTEGRATE the text and the VARIABLE with the result of: The variable 'value' is a test echo "The variable ". $var . " is a test"; //would INTEGRATE the text and the VARIABLE with the result of: The variable value is a test Best if you play around with the variations on your own. And then follow up with error checking and handling of special characters.