What is the best way to allow user to upload images in you application?

[OOP]

Hi there,

I am currently working on photo gallery application where registered users will have the option to upload their images to a specific folder in the server. So, what is the best way of doing this in order to make sure that no malicious users can do any bad things? Should I upload the image in a folder outside the root directory and write a small script to retrieve the image? or there is a better way of doing this?

 

any suggestion will be highly appreciated

 

regards

[Buddski]

You need to just filter the upload types, filesize etc.

The best thing to do is to either check its mime_type against a list of valid types, alternatively you can check the extension. Another good trick is to give the uploaded file a new name like a randomly generated string or a derivative of the filename..

 

Ive got some code that I use if you would like to have a squizz..

[Deoctor]

for getimagesize()

mime part

 

<?php
$info = getimagesize("1.jpg");
foreach($info as $key => $value) {
    echo $key . ' - ' . $value . '<br />';
}
?>

[ChemicalBliss]

Well, uploading any type of file can be very hard to detect malicious content.

 

MIME-Types can be faked, and of course extensions can be renamed.

 

A quick google revealved this:

http://www.scanit.be/uploads/php-file-upload.pdf

 

-CB-

[Deoctor]

if the values satisfy the image/jpg,image/png...all image types then allow..

otherwise disallow

[Buddski]

The best way to check it all is within the $_FILES array..

Nearly everything you need to know can be found here.

http://au.php.net/manual/en/features.file-upload.post-method.php

[ChemicalBliss]

I don't want to double post or anything, but for upmost security, take note of my post. only using $_FILES, and only checking the standard mime-type, can result in executable code being uploaded to the server.

 

Be aware of this issue as mime-types _can_ and _do_ lie.

 

-CB-

[OOP]

Thanks guys for your quick response...I read one article about embedding a PHP code inside a valid image that will bypass the getimagesize() check. what I did not understand is how this code inside the image can be executed!. Is it simply going to run once you display the image or only if your server is configured to run images as php files? 

[Buddski]

By no means should you only rely on mime types and stuff in $_FILES.. But for filesize, error checking etc $_FILES is very handy.

 

PHP documentation even states:

$_FILES['userfile']['type']

 

    The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.

 

Basically the consensus is do everything possible to prevent bad things from happening..

You could check mime type, extension, rename the file (ie. name.jpg to 1233h41h5hh13.jpg, this will not allow the uploader to know the file name) all in the 1 code..

 

You could also make the uploads only visible by going though a script like download.php?file=1233h41h5hh13.jpg,

this will help HIDE your file structure from the nasty people in the world..

[OOP]

Thanks guys..this is a very helpful information. very appreciated

[BMR777]

As Buddski already mentioned, you can place your uploaded files outside of the public_html directory so they cannot be loaded with a web browser.  Then use something like readfile() to read in the files.

 

Another precaution you can take if you are using a upload directory inside public_html is to use a .htaccess file to turn off PHP and disable other bad file extensions just in case something malicious gets past your uploader.

 

Add to your .htaccess in your upload directory

 

php_value engine Off

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|php|php3|php4|php5|pl|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>

 

That is no substitute for good PHP code but provides a last line of defense in case something bad does try and get by.  Note that the first one or two parts of that code is known to cause 500 errors on some servers, so you may need to play with it a bit and remove bits if you get errors.