upload image script help

[jacko_162]

I have a PHP coded page that uploads images fine to my server.

 

What i wanted to know is on the page i have a <SELECT> form that allows the user to select a "album" name, is it possible to use this to create a subfolder in the upload directory using that name?

 

so the user selects "misc" album, thjen uploads 5 images. when submit is entered it checks to see if there is a "misc" folder, if not creates one and uploads the 5x files into that new or currently existing folder.

 

 

Can this be done, and if so can anyone help me to do so?

[xyph]

It can be done. Show me some code, try it out first. Start with a basic upload script. It's easy from there.

[EdwinPaul]

It can be done, yes, BUT: it is very unwise and dangerous to accept a name chosen by the user. His/her name might contain possible harmfull instructions!

[jacko_162]

tbh before coding i wanted to sort out the logic behind it all,

 

admin creates an "album" then name this album, this is then input into db with a timestamp, ID, and the name.

 

user can then click this album in the admin control panel, from here he will see an upload script (about 5 upload boxes shown) the admin can then select the images to upload and click submit.

 

Upon submit i wanted a small code to say fetch album name, once fetched check if upload dir has a folder called "albumname" if it has upload to there, if not create dir, and uplaod there.

 

this doable? if so i will start on creating the upload code

[xyph]

Of course it's doable.

 

EdwinPaul - It's not dangerous. You do have to sanitize the file and folder names, but that's the same as any data coming from the user.

[EdwinPaul]

Of course it's doable.

 

EdwinPaul - It's not dangerous. You do have to sanitize the file and folder names, but that's the same as any data coming from the user.

 

How about uploading 'index.php' ?

[jacko_162]

you only allow .jpg etc;

 

$allowed_filetypes = array('.jpg','.gif','.bmp','.png');

?

[EdwinPaul]

you only allow .jpg etc;

 

$allowed_filetypes = array('.jpg','.gif','.bmp','.png');

?

 

Right. That's 1 check. Ofcourse there are more to perform. Size? Mimetype? See http://nl3.php.net/finfo_file

[xyph]

As I said, EdwinPaul.. the data has to be filtered. Of course you wouldn't let a user upload a PHP file :/

 

As a heads up, checking mimetype is redundant if you're checking the extension already.

 

For folder/albumn names, a simple regex or even ctype_alnum() could work.

[EdwinPaul]

As a heads up, checking mimetype is redundant if you're checking the extension already.

 

Do you really mean that ??

I'm glad that I am a bit more schizofrenic...  :-\

[xyph]

How does an operating system decide what application to use when processing a file?

 

If I rename a binary file to a JPG, will my image editor not try to open it?

 

If I rename a PHP file to JPG, will the PHP engine try to parse it? ( I know it's possible, but no one in their right mind would tell the PHP engine to parse image files )

 

Mimetypes are defined by the user, so why bother checking them? Most scripts use extension to define the mime anyways. The popular way (UNIX required) to do this is using

system("file -bi '<file path>'");

. Again though, NO major operating system uses the mimetype to decide what program should parse it

 

If you're only using images, there are ways to verify that the image is actually contains proper image headers. Otherwise, you'll have to make sure whatever extensions you allow to be uploaded can't be executed on the system.

[xyph]

Also, use a white list of known extensions, NOT a black list.

 

Some configs of Apache allow double extensions. Ie: file.php.123 will parse as file.php. This behavior only happens to extensions that have no corresponding mime-types. In other words, file.php.jpg will be looked as at a JPG file, assuming Apache recognizes the extension.

[EdwinPaul]

Someone told me that 'hackers tried to fill a picture with javascript (a bug in IE7), or to construct a picture in such a way that the functionality of the browser crashes and start processing the picture as a program'.

As I am a schizofenic  I believed him, and it didn't hurt me. 'Better safe than sorry'.

[xyph]

 

You can't stop client side bugs. It's like Adobe's PDF issues. If the rendering engine is compromised client-side, it becomes very hard to protect them server-side. You have to understand how the rendering engine can be attacked, and check the file's contents manually for data that could possibly be an attack vector. It's like blaming a website because some browser plugin you've installed crashes due to some set of markup. If a piece of bad JavaScript is allowed to access your file system, and download and execute data, is that the fault of the web server or the browser? That's a huge reason why allowing SWF uploads is a VERY dangerous thing. Browsers give the Flash plugin WAY too much control, and a perfectly valid SWF file can contain really, really mean code.

 

Sorry to chain this along (can't edit post after time) but any security issues involving double extensions can also be cured by forcing a predetermined unique filename, or appending text after the user's file name

 

virus.php.ext would be changed to uniqueName.ext

 

-or-

 

virus.php.ext would be changed to virus.php_username.ext

 

Both would leave you with files that the Apache double extension parser would ignore.

 

 

You can also use .htaccess to prevent any execution in a folder.

http://codex.wordpress.org/htaccess_for_subdirectories

[EdwinPaul]

Okay, let's leave it at that. I allways suggest to programmers to give an uploaded file a unique (new) name and store the original name in a database. Checking contents, mimetype, size, etcetera, doesn't hurt anybody and restrict uploading only to known filetypes. 

[xyph]

I agree completely - you can never be too safe. This is why I never bother to check the mime-type. It is supplied by the user, and therefor can't be trusted. Why verify when an attacker could easily mask that data?

 

This could become an XSS issue if a user uploaded a RAR file with a text/html mime type, if the browser parses based on the mime-type, a link to that RAR file could be rendered as an HTML page. This can be solved through .htaccess though, forcing all files in a certain directory to be served as a certain mime-type.

 

Until PHP offers a built-in solution to checking the ACTUAL mime-type of a file, I don't see the point in checking a user-supplied value.