nightkarnation Posted May 31, 2011 Share Posted May 31, 2011 Hey Guys! I have a website in flash where some users can upload a jpg, jpeg image to my server and then approved or denied... The image is resized to 1000 x 1000 max (if its higher than those numbers) I am afraid that my script doesnt have any kind of protection to hacks like "virus.php.jpg" or any other type of attacks due to the lack of knowledge I have on this subject. I am a little bit lost as to what I could do to prevent some of these attacks... I would really appreciate some feedback and or basic lines of prevention code to prevent at least some basic attacks Heres my php code for the image upload: // Set local PHP vars from the POST vars sent from flash $Name = $_POST['Name']; $itemNumber = $_POST['imageType']; $filename = $_FILES['Filedata']['name']; $filetmpname = $_FILES['Filedata']['tmp_name']; $fileType = $_FILES["Filedata"]["type"]; $fileSizeMB = ($_FILES["Filedata"]["size"] / 1024 / 1000); list($filename, $extension) = explode('.', basename($_FILES['Filedata']['name'])); $filename = $Name; $target = $filename . $itemNumber . "." . $extension; // Place file on server, into the images folder move_uploaded_file($_FILES['Filedata']['tmp_name'], "../Winner_Images/".$target); ini_set("memory_limit","30M"); $source_pic = "../Winner_Images/".$target; $destination_pic = "../Winner_Images/".$target; $max_width = 1000; $max_height = 1000; $src = imagecreatefromjpeg($source_pic); list($width,$height)=getimagesize($source_pic); $x_ratio = $max_width / $width; $y_ratio = $max_height / $height; if( ($width <= $max_width) && ($height <= $max_height) ){ $tn_width = $width; $tn_height = $height; }elseif (($x_ratio * $height) < $max_height){ $tn_height = ceil($x_ratio * $height); $tn_width = $max_width; }else{ $tn_width = ceil($y_ratio * $width); $tn_height = $max_height; } $tmp=imagecreatetruecolor($tn_width,$tn_height); imagecopyresampled($tmp,$src,0,0,0,0,$tn_width, $tn_height,$width,$height); imagejpeg($tmp,$destination_pic,100); imagedestroy($src); imagedestroy($tmp); Thanks a lot in advance!! Cheers! Link to comment https://forums.phpfreaks.com/topic/237939-image-upload-flash-to-php-php-security-help/ Share on other sites More sharing options...
nightkarnation Posted June 1, 2011 Author Share Posted June 1, 2011 Anyone please? Link to comment https://forums.phpfreaks.com/topic/237939-image-upload-flash-to-php-php-security-help/#findComment-1223251 Share on other sites More sharing options...
xyph Posted June 1, 2011 Share Posted June 1, 2011 virus.php.jpg should never get parsed as code by the PHP engine. It should never be executed server-side. As long as you verify the extension is JPG, and that your php.ini is not set to parse files with the jpg entension, you will be fine. The only thing that will go wrong is the image will look like garbage, and functions like getimagesize will fail. Link to comment https://forums.phpfreaks.com/topic/237939-image-upload-flash-to-php-php-security-help/#findComment-1223253 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.