Jump to content

Image Upload Flash to Php, php security help!

nightkarnation

By nightkarnation
in PHP Coding Help

 Share

Recommended Posts

nightkarnation Regular Member

nightkarnation

Posted
Posted

Hey Guys!

I have a website in flash where some users can upload a jpg, jpeg image to my server and then approved or denied...

The image is resized to 1000 x 1000 max (if its higher than those numbers)

 

I am afraid that my script doesnt have any kind of protection to hacks like "virus.php.jpg" or any other type of attacks due to the lack of knowledge I have on this subject. I am a little bit lost as to what I could do to prevent some of these attacks...

I would really appreciate some feedback and or basic lines of prevention code to prevent at least some basic attacks

 

Heres my php code for the image upload:

 


// Set local PHP vars from the POST vars sent from flash
$Name = $_POST['Name'];
$itemNumber = $_POST['imageType'];
$filename = $_FILES['Filedata']['name'];	
$filetmpname = $_FILES['Filedata']['tmp_name'];
$fileType = $_FILES["Filedata"]["type"];
$fileSizeMB = ($_FILES["Filedata"]["size"] / 1024 / 1000);


list($filename, $extension) = explode('.', basename($_FILES['Filedata']['name']));
$filename = $Name;
$target = $filename . $itemNumber . "." . $extension;


// Place file on server, into the images folder
move_uploaded_file($_FILES['Filedata']['tmp_name'], "../Winner_Images/".$target);

ini_set("memory_limit","30M");

$source_pic = "../Winner_Images/".$target;
$destination_pic = "../Winner_Images/".$target;
$max_width = 1000;
$max_height = 1000;

$src = imagecreatefromjpeg($source_pic);
list($width,$height)=getimagesize($source_pic);

$x_ratio = $max_width / $width;
$y_ratio = $max_height / $height;

if( ($width <= $max_width) && ($height <= $max_height) ){
    $tn_width = $width;
    $tn_height = $height;
    }elseif (($x_ratio * $height) < $max_height){
        $tn_height = ceil($x_ratio * $height);
        $tn_width = $max_width;
    }else{
        $tn_width = ceil($y_ratio * $width);
        $tn_height = $max_height;
}

$tmp=imagecreatetruecolor($tn_width,$tn_height);
imagecopyresampled($tmp,$src,0,0,0,0,$tn_width, $tn_height,$width,$height);

imagejpeg($tmp,$destination_pic,100);
imagedestroy($src);
imagedestroy($tmp);

 

Thanks a lot in advance!!

Cheers!

xyph Advanced Member

xyph

Posted
Posted

virus.php.jpg should never get parsed as code by the PHP engine. It should never be executed server-side.

 

As long as you verify the extension is JPG, and that your php.ini is not set to parse files with the jpg entension, you will be fine.

 

The only thing that will go wrong is the image will look like garbage, and functions like getimagesize will fail.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.