Only allowin images to be uploaded

[dsbpac]

I'm a little stuck on how to make it to where only images can be uploaded and not all files. Thanks in advance!

<?php

// Your file name you are uploading
$file_name = $HTTP_POST_FILES['ufile']['name'];

// random 4 digit to add to our file name
// some people use date and time in stead of random digit
$random_digit=rand(0000,9999);

//combine random digit to you file name to create new file name
//use dot (.) to combile these two variables

$new_file_name=$random_digit.$file_name;


//set where you want to store files
//in this example we keep file in folder upload
//$new_file_name = new upload file name
//for example upload file name cartoon.gif . $path will be upload/cartoon.gif
$path= "upload/".$new_file_name;
if($ufile !=none)
{
if(copy($HTTP_POST_FILES['ufile']['tmp_name'], $path))
{




echo "Successful<BR/>";

//$new_file_name = new file name
//$HTTP_POST_FILES['ufile']['size'] = file size
//$HTTP_POST_FILES['ufile']['type'] = type of file
echo "File Name :".$new_file_name."<BR/>";
echo "File Size :".$HTTP_POST_FILES['ufile']['size']."<BR/>";
echo "File Type :".$HTTP_POST_FILES['ufile']['type']."<BR/>";
}
else
{
echo "Error";
}
}
?>

[fastsol]

http://www.youtube.com/playlist?list=PL10C2E583722F66E7

[Rifts]

just check the file type?

$info = pathinfo($pathtofile);
if ($info["extension"] == "jpg") { .... }

[jcbones]

HTTP_POST_FILES was deprecated in PHP4.1.0, which was release December 10, 2001.  You should be using the $_FILES array.  This one point alone, makes the current script 10+ years out of date.

 

PLEASE don't use the video's as a valid way to check if the file uploaded is an actual image.  Anyone can put an image ext on any file they wish to.

 

My suggestion would be to use finfo_open() asking for mime type, finfo_file(), and finfo_close(), and checking against the IMAGETYPE_*** constants.

You could use getimagesize(), or exif_imagetype(), the first just gives more info than the second.

 You can also try to recreate the image with imagecreatefromjpeg() (or png, gif, etc), which will fail if it isn't an image.  This way is more resource intensive, but it will let you know 100% if it is an image or not.

 

 

Bottom line is, don't trust file extensions.

[fastsol]

I fully admit that the video's method does nothing to validate it's actually an image, but is there any security risk in it's method.  Allowing only a white list of extensions would surely be safe at the minimum, granted it doesn't mean a image will actually display if it's not truly a image but it shouldn't harm anything either.

[kicken]

but is there any security risk in it's method.

Potentially yes, if your server is poorly configured.

[vinny42]

 

the first just gives more info than the second.

 

But can be spoofed because it only looks at the first few bytes of the file to see if it defines a set of dimensions. The rest of the data is ignored and could for example be malicious PHP code.

 

 

 You can also try to recreate the image with imagecreatefromjpeg() (or png, gif, etc), which will fail if it isn't an image.  This way is more resource intensive, but it will let you know 100% if it is an image or not.

 

+1

 

 

Potentially yes, if your server is poorly configured. 

 

Not checking the file's content is dangerous on any server, because hackers don't just call the .jpg file to try to execute it, they also exploit holes in include and require. Those will happily load any file on the server including PHP files disguised under a ".jpg" extension. Thus, giving a hacker the option to upload a PHP script is bad no matter what.

[mac_gyver]

the safest thing to do with all uploaded files is to put them into a folder where there's no direct http access and no permissions to run (and assuming you don't provide a way of allowing them to be included into a script or executed via a shell command), then if something does get past your checking/validation, they cannot be requested on the server and executed as a script/application.

 

you would then use a .php script to dynamically output the file's contents, so that they will only be treated as a data file on the server.

[vinny42]

And even then the file could contain javascript which the browser could pickup.

 

For images you can use PHP's image functions and there are problably a few validations for other filetypes out there, but once you allow data from uncontrolled sources into your system you are op to all kinds of weird attacks.

[jazzman1]

the safest thing to do with all uploaded files is to put them into a folder where there's no direct http access and no permissions to run (and assuming you don't provide a way of allowing them to be included into a script or executed via a shell command), then if something does get past your checking/validation, they cannot be requested on the server and executed as a script/application.

 

you would then use a .php script to dynamically output the file's contents, so that they will only be treated as a data file on the server.

 

+1 mac

 

File/directory permissions should be our essential part of building any web app. Then, we can apply the rules which were already mentioned above. 

Edited September 19, 2013 by jazzman1

[vinny42]

The only really important bit is

 

and assuming you don't provide a way of allowing them to be included into a script or executed via a shell command

 

Not allowing certain files into your system is one thing, preventing them from being used in ways that you did not intend is another, and filesystem permissions are going to do very little against a bug in a piece of PHP code.