Jump to content

Recommended Posts

I am attempting to use the croppic, http://www.jqueryrain.com/?S4PWDcPG, to modify images and want to be able to control the name of the file being produced. I also want to be able to save the name to my database.

 

My quess is that I have to pass a variable to the img_save_to_file.php but not sure how to do that, I've tried using sessions but could not get that to work. Is there any other way that I could try but am not thinking of.

 

A bit confused any direction would be appreciated.

<?php
/*
*	!!! THIS IS JUST AN EXAMPLE !!!, PLEASE USE ImageMagick or some other quality image processing libraries
*/
    $imagePath = "temp/";

	$allowedExts = array("gif", "jpeg", "jpg", "png", "GIF", "JPEG", "JPG", "PNG");
	$temp = explode(".", $_FILES["img"]["name"]);
	$extension = end($temp);
	
	//Check write Access to Directory

	if(!is_writable($imagePath)){
		$response = Array(
			"status" => 'error',
			"message" => 'Can`t upload File; no write Access'
		);
		print json_encode($response);
		return;
	}
	
	if ( in_array($extension, $allowedExts))
	  {
	  if ($_FILES["img"]["error"] > 0)
		{
			 $response = array(
				"status" => 'error',
				"message" => 'ERROR Return Code: '. $_FILES["img"]["error"],
			);			
		}
	  else
		{
			
	      $filename = $_FILES["img"]["tmp_name"];
		  list($width, $height) = getimagesize( $filename );

		  move_uploaded_file($filename,  $imagePath . $_FILES["img"]["name"]);

		  $response = array(
			"status" => 'success',
			"url" => $imagePath.$_FILES["img"]["name"],
			"width" => $width,
			"height" => $height
		  );
		  
		}
	  }
	else
	  {
	   $response = array(
			"status" => 'error',
			"message" => 'something went wrong, most likely file is to large for upload. check upload_max_filesize, post_max_size and memory_limit in you php.ini',
		);
	  }
	  
	  print json_encode($response);
?>
Link to comment
https://forums.phpfreaks.com/topic/300989-pass-variable-to-another-php-file/
Share on other sites

The code you've copied and pasted is very poor and insecure. I suggest you throw it away, learn the basics of secure file uploads and then write your own code. This should also clear up the confusion, because you'll actually understand the procedure.

 

This topic has been discussed many times on the forum, and there are plenty of resources all over the Internet, so this is just a quick overview:

  • Validate the file extension with a whitelist of permitted extensions.
  • Generate a purely random filename and append the validated extension (make sure you don't end up with a double extension). You may store the original filename in your database, but do not actually use it, because it won't be unique.
  • Store the file outside of the document root so that it cannot be accessed directly.
  • Then write a simple proxy script which serves the files upon request. It's recommended to use the X-Sendfile technique instead of reading the file content with PHP.
  • If possible, create a separate subdomain like uploads.yoursite.com for the proxy script. This will isolate the potential insecure uploads from your main application.
  • Use Content Security Policy for additional protection.

It's very important to understand that letting people upload files to your server is inherently risky. A cursory file extension check like in the script above is not enough and may leave both your server and your users wide open to various attacks. So don't just copy and paste code your found somewhere on the Internet. Learn and understand the procedure.

Edited by Jacques1

Generate a purely random filename and append the validated extension (make sure you don't end up with a double extension). You may store the original filename in your database, but do not actually use it, because it won't be unique.

 

I typically validate the file extension, and then store the validated filename with extension in the database and use it in the header when someone downloads the file.

 

Why append the extension to the filename?

When you use the X-Sendfile technique, the webserver needs a physical file extension to figure out the MIME type.

 

Without an extension, you have to do that yourself and set the right Content-Type header. This can be problematic. If you store the MIME type of each file in the database, an SQL injection vulnerability might be used to manipulate the type and turn the files into malware (e. g. by embedding JavaScript code into a PNG image and then setting the MIME type to “text/html”). If you have a hard-coded mapping from extensions to MIME types in your application, there's no such risk. But the webserver already has that mapping built in, so it's not really necessary.

 

Appending the extension is also a matter of making the application foolproof: If a problem with the files has to be resolved by hand – maybe by somebody without a tech background –, a file with an extension will be a lot more usable than one without.

 

But the webserver already has that mapping built in, so it's not really necessary.
 
What's not necessary?
 
 
header("X-Sendfile: {$file_random_name}");
header("Content-Type: {$mime}");
header('Content-Disposition: attachment; filename="'.$file_name_with_extention.'"');

This:

header("Content-Type: {$mime}");

You've written a lot of code to detect the MIME type, check it, maybe store it and hopefully check it again before the header() call. But the webserver already knows the MIME type of every common extension.

 

I'm not even sure if Apache honors the Content-Type header you're giving it. Have you checked this? It might actually ignore this declaration altogether and fall back to its own mapping.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.