.jpeg.8ec67f371e1ef4cde740f60480786a37.jpeg)
phppup
-
Posts
796 -
Joined
-
Last visited
-
Days Won
1
Posts posted by phppup
-
-
7 hours ago, kicken said:
If you wanted you could opt to render it as a string of 1s and 0s.
...and there's nothing preventing you from interpreting the same data in multiple different ways...
@kicken Thanks for clarifying that for me.
Thankfully, my understanding wasn't/isn't that far off, although my terminology may have been a little murky.
So how can I display an image as just 1s and 0s in a browser?
And to my REAL question, what is the preferred/default method of interpretation for PHP?
(Am I correct that images are essentially meaningless to PHP for display purposes?
ECHO $img; is worthless [until HTML intervenes to help translate with an <img> tag]
It's like a memo being passed thru the United Nations assembly. It is written in plain English, but the note needs to be interpreted depending on the recipient. And for some, the message will never be clear. [No political innuendo intended. LOL])
So what is being displayed from the
file_get_contents($image)
result?
-
1 hour ago, requinix said:
This is a really, really basic and fundamental question about what files are and what file_get_contents does.
Unfortunately not a single search result had offered a sentence that elaborates to say "...displays the contents in language XYZ."
Nor does any site elaborate on that manner regarding "creating an image", "image code", et al.
I assume it all begins with binary, but references to hex, base, etc. seem almost arbitrary without a foundational resource.
Quoteup to your neck......
Ya got that right.
But i think I've been understanding and learning more, thanks to the help I've gotten here.
At this point "the forest" will probably take care of "the trees" since I'm hopefully disarming ill-intended code with other measures already.
This "last thought" seemed like a reasonable idea, if for no other purpose, than to alert me of a potential attack (rather than actually prevent it).
-
But might it be a start?
Stopping even a single 'bad actor' seeems worthwhile.
Still, if I
echo file_get_contents($image_path);
what am I seeing?
ASCII? Hex? Other?
How do I clean it up to view it properly (in its entirety)?
Is it the same for jpg , png, bmp, etc?
-
Quote
I don't know how any of that would help - at least not in an automated way.
Does someone like this
Quote$imageFile = file_get_contents($image_path);
$dangerousSyntax = ['<?', '<?php', '?>'];
$error = '';
foreach($dangerousSyntax as $value) {
$find = strpos($value, $imageFile);
if( $find == true ) {
unlink$image_path);
$error = 'Found dangerous code in image';
}
}
//$error could be used to determine other actions that would follow
seem like a practical and effective effort?
Limitations? Potential problems?
Sensible?
-
@requinix THANK YOU.
Very enlightening.
I think I have most precautionary measures covered adequately, but the more I read, the higher my stress level climbs.
Granted there are some articles/blogs that are just inaccurate, misleading, or completely wrong; and I thank you for helping me sort them out from the valid resources and information.
I've seen recommendations to encode images to base64. Or decode to hex. Or transform into a string. All suggesting that analyzing the file in this way could facilitate in detecting hidden scripting: Are any of these ideas worth considering? Effective?
And then I stumbled across blobs, but thankfully, I don't see that as my preferred pathway.
-
Quote
<button type="button" id="uploaad">upload</button>
id = "uploaad" ????
Did you want TWO letter AAs?
Easier to fix it now before problems (if it was a typo).
-
I've been surfing the web and reading various articles, and probably have more questions than answers, so any guidance or direction to resources will (hopefully) be useful.
I'm trying to connect the dots to more adequately understand the security issues within uploading image files.
From its inception, light hits a camera sensor and an image is created. Is it in binary form? ASCII? Other?
Now suppose additional code is added to the image. (For this example, let's say it's a simple script that says Hello - which I suppose would STILL be considered malicious).
If it's simply placed into the image code, how can I open the image (as the recipient) to see the code in its TEXT form?
(I'm assuming that the code would need to be activated either by clicking the script or calling the code in order to actual function)
And if the code is hidden or camouflaged by using an alternate character set, how would it be translated from the unnoticeable character set into something more meaningful in order to perform?
-
I guess it depends on what is being examined (and retained) by imagecreatefromjpeg().
Surely it's examining more than just the file extension to determine whether true or false.
And if an image does PASS (as true) but contains malicious code, is it nullified?
Suppose I take a 10 kb jpeg and incorporate 1 MB of evil scripting. The uploaded file is now the size of that sum, right?
What size will it be after running through imagecreatefromjpeg?
Does the process evaluate the file and eliminate/erase/void pieces that are not color/image related??
(Maybe I should learn to hack so I can test it myself, LoL)
-
I've got this working thanks to everybody that's assisted.
Now I've got a more academic question: what exactly is
$im = imagecreatefromjpeg($file);
doing when it runs?
More directly, suppose a malicious actor places evil code into a jpeg file that passes thru this function.
Quote$im = imagecreatefromjpeg($file);
if(!$im)
{echo "image failed";
} else {
echo "file is good"; }
Will the file always fail?
Or is it more prudent to continue with:
$file = $im; //overwrite with $im
Because $im will somehow be 'cleansed' of the evil code that had been inserted.
Is continuing with $file safe if it passed this examination?
I'm trying to understand the inner workings, especially since I'm using this more as a security measures than a file reproduction method.
-
Quote
What if 5 different users want to make the folder "puppy"? Do you just mix all their files in that folder? What if their files are also all named "cutest.jpg"? Whoever uploads last gets the spot?
@kicken Thanks for the insight.
I think/hope that I've got that figured out already, but I'll re-examine again.
QuoteMake sure you validate against path traversal attacks so they can't break out of that isolation.
I've been trying to cover that case too.
Perhaps I'll need a new thread, but I found it quite revealing while working on "file sanitization" when I discovered that Lil Bobby Tables could access my data.
I've run tests where I added
?file=../../etc/passwd
To the end of a php URL, but gotten nothing unexpected.
Am I just lucky? Already secure? Or a bad hacker?
How can I trigger a negative result to help me implement a more positive security protocol?
-
@gizmola Good information
So essentially, if hosting a fun friendly site, the SESSION can remain active to greet the user every time they visit the website?
But what if more security is desired, like a page with banking information?
What's the best way to handle a log out and elimination of the session?
Will this also eliminate the cookie?
-
16 hours ago, requinix said:
Maybe.
What is it that I (might not) be seeing? What potential problems am I inviting?
Or is this just a macho induced control issue?
If a sub-folder named userDirs is designated for users to create folders with names that they want, where is the harm?
If a user creates folder "puppy" and instead I initiated the new folder 345 (but I equate 345 to puppy), they will still see a URL path /blah/blah/userDirs/345, right? So a hacker will not have been stalled, will they?
If the folder is not allowed to contain any . $?<>/ shouldn't that protect me?
Or perhaps limiting name size and allowing only alphanumerics is better?
I still feel like I'm missing a valuable piece to the puzzle. Insight, please.
-
At this point I think I'd better just stick with the areas that have problems I can overcome.
Perhaps later I'll research the "private" aspect.
I guess my initial thinking wasn't totally off-base. If I've VALIDATED the file fully, and changed the name anyway, then any malicious efforts should be nullified. So even if a bad intent were initiated, it should be defused.
But why not let a user name a directory? Clearly locating the folder contents is not the issue?
Placement? If I have a designated destination and RegEx naming requirements implemented, is there still a risk that I'm not seeing?
-
You're not seeing error messages because the are NOT being ECHOed.
In order to display a message in PHP it needs to resemble:
echo "now I see my message";
(The quoted text will be displayed.)
-
From what I've learned, server validation (with PHP) is the safeguard.
Client-side (like JS) is prettier and more user friendly, but also unreliable since it can be easily altered or removed.
Use both as applicable and practical.
As for your actual issue, there are likely several approaches that could be useful.
To me, the most obvious would be that you are using a variable $error.
$error has several messages depending on the input you are validating.
It seems to be an exciting constant throughout your script. Do why not utilize it with something like
Quote// assign variables
$error = ""; //at TOP with other variables
////your validations
if($error != "") {
echo "Fix the ERROR that exists";
} else {
////process data
Essentially, your trolling PHP that every error provides a message, so unless there are no messages, do not process.
If $error is empty (the way it started without being diverted) then there are no messages, which means no errors, and it's then safe to proceed.
You can use a similar technique with JavaScript.
-
Am I looking for solutions when no problem exists?
I really thought I read something about a security risk in letting the directory that was home to images become visible.
There was certainly a cautionary note to NOT let users name directories. I assumed that this (like the name of a file) was to prevent access (if a malicious file were uploaded).
If none of this matters, why not allow a user to name a folder and retain image names?
After all, access to the images will be readily available anyway, right?
Am I not making an obvious connection here?
-
I want to allow users to upload images and then create a gallery.
I am already checking file extension and taking other measures to ensure that the file is in fact a real image.
I am changing the image name, so that even if the file is malicious, it is not easily accessible.
But I'm not sure of the best way to display the images afterward.
If images are uploaded to the XYZ directory, is it wise to display them from that location?
Is it insecure for an image to be viewed from /blah/blah/blah/XYZ/renamedimg.jpg ? What is the safest way to approach this?
-
I thought that after a fully sanitizing scrub of uploaded images, a simple display gallery would suffice.
Then I was advised to change image names and rename directories for added security.
Yet after all these precautions, it seems it's still insecure to exhibit user images?
I recall a suggestion to have images SERVED (rather than using HTML <img> tag), but cannot find a method, starting point, or clear rationale for this.
Guidance, advice, and insight to point me in the right direction, please.
-
@maxxd I stand corrected.
Although I did say:
QuoteThere are definitely guidelines for dealing with strings and certain other specifics.....
I probably should have been more careful.
Thanks for setting things straight.
-
I've got a better idea, since you've stated:
QuoteI've already mentioned that this work is pretty darn simple.
Why don't you give me a reasonable solution to my issue in the form titled "imagecreatefromjpeg failure"?
That would make you a helpful contributor.
-
I think you need to understand how websites are built.
But it's late and I'm tired, and I still cannot figured out why only some of my images cause an error on upload.
Nonetheless, we put files into folders. For the most part, there is a logical method so that WE can find them to edit, update, etc.
My webpage is my grocery cart. It has ice cream and meats and fruits and vegetables.
I TRY to bag my items so the stuff for the freezer, fridge, pantry, and fruit bowl are nicely organized.
Sometimes the bags get too full, often I get confused, occasionally items spill into other bags. And maybe I get candy.
As long as everything makes it home, I'm happy.
And as long as my web link gets the user to the right page, I really don't care if the can of soup is in with the frozen food.
-
I clicked on a link:
www.beautifulgirls/must_see
I thought they were ugly and wish I hadn't looked.
Should I complain about the link address or the content of the webpage?
Consider wisely, and apply accordingly.
-
How is that possible if the other two test files originate from the same folder? Clearly it (and the path) exists.
How can I drill down for a deeper explanation?
Also, I've realized that some images do not refresh unless browser history / cache is cleared.
Research send to point to using no-cache headers or a flush directive. What is the best/suggested method?
-
Glad I could help.
HTML Form only shows PHP File Directory in the Address Bar - no email sent.
in PHP Coding Help
Posted
As previously mentioned, YES, place some functional validation to determine IF the system sent the email.
Something like
This will not only help you during development, but also benefit the user when operational.
And, as often recommended, turn on ERROR REPORTING by placing this immediately after your opening PHP tag <?
(if you haven't used this, just do something blatantly wrong and then run the page to see the result)
** Remove it BEFORE production **
Aside from your CODE, other variables can be in-play with email. Spam filters are notorious for creating issues.
If you're sending and receiving identical messages repeatedly, the safety net may outsmart itself and cause you an issue.
I've personally had emails take hours until being released by the server. Or tested soooo many times that a failure/spam designation stopped everything.
My suggestion: if the code is good, send an email to an outside address and confirm it to another (with a subject line that does NOT contain "test" or "sample" etc). - EVERYTHING has to 'appear' to be "real/valid" communication.
Once you've established that messages are being sent and received adequately, then you can gingerly tweak the settings (with a degree of confidence).