sean14592 Posted August 2, 2008 Share Posted August 2, 2008 Hi, Im giving this script away for free to a few of my mates, though, They are saying I need to make it more secure, So that people cant change like a .exe to a.jpg so that it can pass the current security. How can I somehow make the script read the file or make sure the images are acctually images! Code: $userfile = $_POST['userfile']; //Upload Files // Configuration $maxsize = 2097152; // Maximum filesize in BYTES (currently 2MB). $upload_path = $uploaddir; // The place the files will be uploaded to (currently a 'files' directory). $filename = $_FILES['userfile']['name']; // Get the name of the file (including file extension). $ext = substr($filename, strpos($filename,'.'), strlen($filename)-1); // Get the extension from the filename. // Check if the filetype is allowed, if not DIE and inform the user. if(!in_array($ext,$allowed_filetypes)){ echo 'Opps! Image Format not allowed!'; exit; } // Now check the filesize, if it is too large then DIE and inform the user. if(filesize($_FILES['photo1']['tmp_name']) > $max_filesize){ echo 'Opps! Image is to big!'; exit; } // Check if we can upload to the specified path, if not DIE and inform the user. if(!is_writable($upload_path)){ die('You cannot upload to the specified directory, please CHMOD it to 777.'); } //This line assigns a random number to a variable. You could also use a timestamp here if you prefer. $ran = rand () ; //This takes the random number (or timestamp) you generated and adds a . on the end, so it is ready of the file extension to be appended. $ran2 = $ran; //This assigns the subdirectory you want to save into... make sure it exists! $target = "./uploads/"; //This combines the directory, the random file name, and the extension $target = $target . $ran2.$ext; if(move_uploaded_file($_FILES['userfile']['tmp_name'], $target)) { echo "<p>Your image was successfully uploaded!</p> <p><strong>Forums</strong><br /> <input name=\"textfield\" type=\"text\" id=\"textfield\" size=\"75\" value=\"[url=".$siteurl."][img=".$siteurl.$uploaddir.$ran2.$ext."][/url]\"/> </p> <p><strong>Forums (2)</strong><br /> <input name=\"textfield2\" type=\"text\" id=\"textfield2\" size=\"75\" value=\"[url=".$siteurl."][img=".$siteurl.$uploaddir.$ran2.$ext."][/url]\"/> </p> <p><strong>Direct Link</strong><br /> <input name=\"textfield4\" type=\"text\" id=\"textfield4\" value=\"".$siteurl.$uploaddir.$ran2.$ext."\" size=\"75\" /><p> "; } else { echo 'Opps! Looks like we have a problem....<br><br>'; echo '<b>Error: <FONT COLOR="#FF3300"><u>There was a weird error!</u></b></font>'; exit; exit; } Link to comment https://forums.phpfreaks.com/topic/117815-solved-secure-image-upload/ Share on other sites More sharing options...
JasonLewis Posted August 2, 2008 Share Posted August 2, 2008 Okay, here are a few ways... 1. Use getimagesize(). One of the elements returned is the image type. 2. You can explode the filename at a period (.) then get the value of the last element and compare it to an array. Example: $filename = "theimages.file.name.here.jpg"; $allowed_ext = array("jpg","jpeg","png","bmp","gif"); $tmp_exp = explode(".",$filename); if(!in_array(strtolower($tmp_exp[count($tmp_exp)-1]),$allowed_ext)){ //Not a valid extension... echo "Invalid image extension!"; }else{ //Its valid! } 3. exif_imagetype(). Don't know about this one but you could try it. Good luck. Link to comment https://forums.phpfreaks.com/topic/117815-solved-secure-image-upload/#findComment-605989 Share on other sites More sharing options...
sean14592 Posted August 2, 2008 Author Share Posted August 2, 2008 ah, Im still sooo confused lol. I have already checked the file extention(type), Its the fact that people can hide files under a .jpg extention any1 have msn? Link to comment https://forums.phpfreaks.com/topic/117815-solved-secure-image-upload/#findComment-606007 Share on other sites More sharing options...
sean14592 Posted August 2, 2008 Author Share Posted August 2, 2008 ok, im using this code, though even if I do uplaod a valid jpg, I still get error //DOUBLE CHECK TYPE: if image MIME type from GD getimagesize() -In case it was a FAKE! if(($info['mime'] != "image/jpeg") && ($info['mime'] != "image/pjpeg") && ($info['mime'] != "image/png")) { die("<BR><BR>Error3: Upload file type un-recognized. Only .JPG or .PNG images allowed."); } Im using php V5 Link to comment https://forums.phpfreaks.com/topic/117815-solved-secure-image-upload/#findComment-606027 Share on other sites More sharing options...
JasonLewis Posted August 2, 2008 Share Posted August 2, 2008 No wait... Excuse me... Link to comment https://forums.phpfreaks.com/topic/117815-solved-secure-image-upload/#findComment-606028 Share on other sites More sharing options...
sean14592 Posted August 2, 2008 Author Share Posted August 2, 2008 No wait... Excuse me... Sorry I dont understand? Link to comment https://forums.phpfreaks.com/topic/117815-solved-secure-image-upload/#findComment-606029 Share on other sites More sharing options...
JasonLewis Posted August 2, 2008 Share Posted August 2, 2008 Sorry I posted something wrong. Just edited it out, because it was useless. Okay, try this: list($width,$height,$type,$attr) = getimagesize("filenamehere"); $mime = image_type_to_mime_type($type); if(($mime != "image/jpeg") && ($mime != "image/pjpeg") && ($mime != "image/png")) { die("<BR><BR>Error3: Upload file type un-recognized. Only .JPG or .PNG images allowed."); } I wasn't to sure if you were actually getting the mime type. Link to comment https://forums.phpfreaks.com/topic/117815-solved-secure-image-upload/#findComment-606033 Share on other sites More sharing options...
sean14592 Posted August 2, 2008 Author Share Posted August 2, 2008 ok,.. thanks for your help btw I now get: Warning: getimagesize(Array) [function.getimagesize]: failed to open stream: No such file or directory in /home/spiral/public_html/phpimg/upload.php on line 89 Link to comment https://forums.phpfreaks.com/topic/117815-solved-secure-image-upload/#findComment-606041 Share on other sites More sharing options...
JasonLewis Posted August 2, 2008 Share Posted August 2, 2008 What exactly did you put into getimagesize()? I've modified your original code: $userfile = $_POST['userfile']; //Upload Files // Configuration $maxsize = 2097152; // Maximum filesize in BYTES (currently 2MB). $upload_path = $uploaddir; // The place the files will be uploaded to (currently a 'files' directory). $filename = $_FILES['userfile']['name']; // Get the name of the file (including file extension). $ext = substr($filename, strpos($filename,'.'), strlen($filename)-1); // Get the extension from the filename. // Check if the filetype is allowed, if not DIE and inform the user. if(!in_array($ext,$allowed_filetypes)){ echo 'Opps! Image Format not allowed!'; exit; } list($width,$height,$type,$attr) = getimagesize($_FILES['userfile']['tmp_name']); $mime = image_type_to_mime_type($type); if(($mime != "image/jpeg") && ($mime != "image/pjpeg") && ($mime != "image/png")) { die("<BR><BR>Error3: Upload file type un-recognized. Only .JPG or .PNG images allowed."); } // Now check the filesize, if it is too large then DIE and inform the user. if(filesize($_FILES['photo1']['tmp_name']) > $max_filesize){ echo 'Opps! Image is to big!'; exit; } // Check if we can upload to the specified path, if not DIE and inform the user. if(!is_writable($upload_path)){ die('You cannot upload to the specified directory, please CHMOD it to 777.'); } //This line assigns a random number to a variable. You could also use a timestamp here if you prefer. $ran = rand () ; //This takes the random number (or timestamp) you generated and adds a . on the end, so it is ready of the file extension to be appended. $ran2 = $ran; //This assigns the subdirectory you want to save into... make sure it exists! $target = "./uploads/"; //This combines the directory, the random file name, and the extension $target = $target . $ran2.$ext; if(move_uploaded_file($_FILES['userfile']['tmp_name'], $target)) { echo "<p>Your image was successfully uploaded!</p> <p><strong>Forums</strong><br /> <input name=\"textfield\" type=\"text\" id=\"textfield\" size=\"75\" value=\"[url=http://".$siteurl."][img=http://".$siteurl.$uploaddir.$ran2.$ext."][/url]\"/> </p> <p><strong>Forums (2)</strong><br /> <input name=\"textfield2\" type=\"text\" id=\"textfield2\" size=\"75\" value=\"[url=http://".$siteurl."][img=".$siteurl.$uploaddir.$ran2.$ext."][/url]\"/> </p> <p><strong>Direct Link</strong><br /> <input name=\"textfield4\" type=\"text\" id=\"textfield4\" value=\"".$siteurl.$uploaddir.$ran2.$ext."\" size=\"75\" /><p> "; } else { echo 'Opps! Looks like we have a problem....<br><br>'; echo '<b>Error: <FONT COLOR="#FF3300"><u>There was a weird error!</u></b></font>'; exit; exit; } I think that should do it. Link to comment https://forums.phpfreaks.com/topic/117815-solved-secure-image-upload/#findComment-606048 Share on other sites More sharing options...
sean14592 Posted August 2, 2008 Author Share Posted August 2, 2008 ok, fixed cheers soooo much mate Link to comment https://forums.phpfreaks.com/topic/117815-solved-secure-image-upload/#findComment-606052 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.