Jump to content

[SOLVED] Secure Image Upload

sean14592

By sean14592
in PHP Coding Help

 Share

Recommended Posts

sean14592 Member

sean14592

Posted
Posted

Hi, Im giving this script away for free to a few of my mates, though, They are saying I need to make it more secure, So that people cant change like a .exe to a.jpg so that it can pass the current security.

 

How can I somehow make the script read the file or make sure the images are acctually images!

 

Code:

$userfile = $_POST['userfile'];

//Upload Files


  // Configuration
      $maxsize = 2097152; // Maximum filesize in BYTES (currently 2MB).
      $upload_path = $uploaddir; // The place the files will be uploaded to (currently a 'files' directory).

   $filename = $_FILES['userfile']['name']; // Get the name of the file (including file extension).
   $ext = substr($filename, strpos($filename,'.'), strlen($filename)-1); // Get the extension from the filename.

   // Check if the filetype is allowed, if not DIE and inform the user.
   if(!in_array($ext,$allowed_filetypes)){
      echo 'Opps! Image Format not allowed!';
exit;
}
   // Now check the filesize, if it is too large then DIE and inform the user.
   if(filesize($_FILES['photo1']['tmp_name']) > $max_filesize){
echo 'Opps! Image is to big!';
exit;
}
   // Check if we can upload to the specified path, if not DIE and inform the user.
   if(!is_writable($upload_path)){
      die('You cannot upload to the specified directory, please CHMOD it to 777.');
}

//This line assigns a random number to a variable. You could also use a timestamp here if you prefer. 
$ran = rand () ;

//This takes the random number (or timestamp) you generated and adds a . on the end, so it is ready of the file extension to be appended.
$ran2 = $ran;

//This assigns the subdirectory you want to save into... make sure it exists!
$target = "./uploads/";
//This combines the directory, the random file name, and the extension
$target = $target . $ran2.$ext; 

if(move_uploaded_file($_FILES['userfile']['tmp_name'], $target)) 
{
echo "<p>Your image was successfully uploaded!</p>
<p><strong>Forums</strong><br />
  <input name=\"textfield\" type=\"text\" id=\"textfield\" size=\"75\"   value=\"[url=".$siteurl."][img=".$siteurl.$uploaddir.$ran2.$ext."][/url]\"/>
</p>
<p><strong>Forums (2)</strong><br />
  <input name=\"textfield2\" type=\"text\" id=\"textfield2\" size=\"75\"  value=\"[url=".$siteurl."][img=".$siteurl.$uploaddir.$ran2.$ext."][/url]\"/>
</p>
<p><strong>Direct Link</strong><br />
  <input name=\"textfield4\" type=\"text\" id=\"textfield4\" value=\"".$siteurl.$uploaddir.$ran2.$ext."\" size=\"75\" /><p>
";

} 
else
{
echo 'Opps! Looks like we have a problem....<br><br>';
echo '<b>Error: <FONT COLOR="#FF3300"><u>There was a weird error!</u></b></font>';
exit;
exit;
}

Link to comment
Share on other sites
JasonLewis Member

JasonLewis

Posted
Posted

Okay, here are a few ways...

 

1. Use getimagesize(). One of the elements returned is the image type.

 

2. You can explode the filename at a period (.) then get the value of the last element and compare it to an array. Example:

$filename = "theimages.file.name.here.jpg";
$allowed_ext = array("jpg","jpeg","png","bmp","gif");

$tmp_exp = explode(".",$filename);
if(!in_array(strtolower($tmp_exp[count($tmp_exp)-1]),$allowed_ext)){
//Not a valid extension...
echo "Invalid image extension!";
}else{
//Its valid!
}

 

3. exif_imagetype(). Don't know about this one but you could try it.

 

Good luck. :)

Link to comment
Share on other sites
sean14592 Member

sean14592

Posted
  • Author
Posted

ok, im using this code, though even if I do uplaod a valid jpg, I still get error :(

 

//DOUBLE CHECK TYPE: if image MIME type from GD getimagesize() -In case it was a FAKE!							
if(($info['mime'] != "image/jpeg") && ($info['mime'] != "image/pjpeg") && ($info['mime'] != "image/png")) {
die("<BR><BR>Error3: Upload file type un-recognized. Only .JPG or .PNG images allowed.");
}

 

Im using php V5

Link to comment
Share on other sites
JasonLewis Member

JasonLewis

Posted
Posted

Sorry I posted something wrong. Just edited it out, because it was useless.

 

Okay, try this:

list($width,$height,$type,$attr) = getimagesize("filenamehere");
$mime = image_type_to_mime_type($type);

if(($mime != "image/jpeg") && ($mime != "image/pjpeg") && ($mime != "image/png")) {
die("<BR><BR>Error3: Upload file type un-recognized. Only .JPG or .PNG images allowed.");
}

 

I wasn't to sure if you were actually getting the mime type.

Link to comment
Share on other sites
JasonLewis Member

JasonLewis

Posted
Posted

What exactly did you put into getimagesize()?

 

I've modified your original code:

$userfile = $_POST['userfile'];

//Upload Files


  // Configuration
      $maxsize = 2097152; // Maximum filesize in BYTES (currently 2MB).
      $upload_path = $uploaddir; // The place the files will be uploaded to (currently a 'files' directory).

   $filename = $_FILES['userfile']['name']; // Get the name of the file (including file extension).
   $ext = substr($filename, strpos($filename,'.'), strlen($filename)-1); // Get the extension from the filename.

   // Check if the filetype is allowed, if not DIE and inform the user.
   if(!in_array($ext,$allowed_filetypes)){
      echo 'Opps! Image Format not allowed!';
exit;
}

list($width,$height,$type,$attr) = getimagesize($_FILES['userfile']['tmp_name']);
$mime = image_type_to_mime_type($type);

if(($mime != "image/jpeg") && ($mime != "image/pjpeg") && ($mime != "image/png")) {

die("<BR><BR>Error3: Upload file type un-recognized. Only .JPG or .PNG images allowed.");
}

   // Now check the filesize, if it is too large then DIE and inform the user.
   if(filesize($_FILES['photo1']['tmp_name']) > $max_filesize){
echo 'Opps! Image is to big!';
exit;
}
   // Check if we can upload to the specified path, if not DIE and inform the user.
   if(!is_writable($upload_path)){
      die('You cannot upload to the specified directory, please CHMOD it to 777.');
}

//This line assigns a random number to a variable. You could also use a timestamp here if you prefer. 
$ran = rand () ;

//This takes the random number (or timestamp) you generated and adds a . on the end, so it is ready of the file extension to be appended.
$ran2 = $ran;

//This assigns the subdirectory you want to save into... make sure it exists!
$target = "./uploads/";
//This combines the directory, the random file name, and the extension
$target = $target . $ran2.$ext; 

if(move_uploaded_file($_FILES['userfile']['tmp_name'], $target)) 
{
echo "<p>Your image was successfully uploaded!</p>
<p><strong>Forums</strong><br />
  <input name=\"textfield\" type=\"text\" id=\"textfield\" size=\"75\"   value=\"[url=http://".$siteurl."][img=http://".$siteurl.$uploaddir.$ran2.$ext."][/url]\"/>
</p>
<p><strong>Forums (2)</strong><br />
  <input name=\"textfield2\" type=\"text\" id=\"textfield2\" size=\"75\"  value=\"[url=http://".$siteurl."][img=".$siteurl.$uploaddir.$ran2.$ext."][/url]\"/>
</p>
<p><strong>Direct Link</strong><br />
  <input name=\"textfield4\" type=\"text\" id=\"textfield4\" value=\"".$siteurl.$uploaddir.$ran2.$ext."\" size=\"75\" /><p>
";

} 
else
{
echo 'Opps! Looks like we have a problem....<br><br>';
echo '<b>Error: <FONT COLOR="#FF3300"><u>There was a weird error!</u></b></font>';
exit;
exit;
}

 

I think that should do it.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.