Jump to content

Safest method of image upload


Recommended Posts

Good day all


Busy working on some code to allow users to upload images.


Now, I know not to trust anything sent from a user (and to specifically check image type, etc.)

And it's never a good idea to allow anyone, or anything to upload something to a directory below your web root.


But, how bad would it be to check for the correct file size, and type, and then use PHP to FTP that file to a directory that happens to be below your web root?


This would be on a shared hosting platform, where temp_upload is not set, and is running Apache and PHP 5.2


Just checking some additional options, and haven't seen that much regarding how secure the FTP method would be.


Thanks in advance :)

Link to comment
Share on other sites

Thank you for the reply


I had intended to run actual checks (and not rely on user or browser supplied info)

Had not seen many mention of mime type, but many mentions suggesting getimagesize, etc.


Without opening this thread, and my questions up to giving out info that would add attackers, are there any other concerns to be aware of?

Link to comment
Share on other sites

Thank you again!


Going to speak to the host, and see what I can organise.


I've had several hosts tell me recently that they do not allow access to folders above webroot by scripts, at all.

Will have to see what they can sort for this site then.


Safest option is always the way to go. Had thought it'd be okay to do all the checks, but you never know what the next attack vector would be.


Speaking of, any ways in even if uploading to another directory, and moving? Would also limit files to JPEG type, and probably resize them with a script too while I'm at it.


Will post any additional info I manage here, but hopefully all goes well.


Thank you again.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.