Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    New Coder
    Join Date
    Jul 2011
    Location
    New Zealand
    Posts
    30
    Thanks
    11
    Thanked 2 Times in 2 Posts

    Would like to check if my image uploader is considered safe.

    Hi guys, I have recently done some small edits on a image uploader script I found while browsing the forums and if possible would appreciate some advice / tips from more experienced users. I'm interested in knowing if my image uploader is safe and would be suitable for a public website.

    PHP Code:
    //Select the image you'd like to upload and add a description for it.

    <br><input name='image_upload_box' type='file' id='image_upload_box' size='40'/><br>
    <
    input name='submitted_form' type='hidden' id='submitted_form' value='image_upload_form' />
    <
    br><b>Post a brief description about your photowhat's happening, when it happened or any other details you feel could be interesting for the user viewing.</b><br><textarea style='font-familyArial' name='story' rows='7' cols='65'></textarea><br><br>

    //Upload the image to the server and redirect them to their uploaded image.

    ini_set("memory_limit", "200000000");
        if((isset($_POST["submitted_form"])) && ($_POST["submitted_form"] == "image_upload_form")) 
        {
            $folder = "image_files/";
            $allowed = array(".jpg",".jpeg",".png");  
            $uploaded = strtolower(substr($_FILES["image_upload_box"]["name"], strrpos($_FILES["image_upload_box"]["name"],'
    .')));
            if(in_array($uploaded,$allowed,true))
            {
                if(($_FILES["image_upload_box"]["size"] < 1200000))
                {
                    if ($_FILES["image_upload_box"]["error"] > 0)
                    {
                        header("location: SubmitImage.php?e=3");
                        return 0;
                    }
                    else
                    {
                        if (file_exists($folder . $_FILES["image_upload_box"]["name"]))
                        {
                            header("location: SubmitImage.php?e=2");
                            return 0;
                        }
                        else
                        {
                            move_uploaded_file($_FILES["image_upload_box"]["tmp_name"],
                            $folder . $_FILES["image_upload_box"]["name"]);
                            $location = $_FILES["image_upload_box"]["name"];
                            $comment = nl2br($_POST['
    story']);
                            $time = date("j M, Y, g:i A");
                            $data = $DBH->prepare("INSERT INTO `gallery` (`gID`,`gLocation`,`gComment`,`gPoster`,`gTime`,`gViews`) VALUES (NULL,?,?,?,?,?)");
                            $data->execute(array($location,$comment,$_SESSION['
    username],$time,0));
                            
    $id $data->lastInsertId();
                            
    header("location:ViewImage.php?ImageID=$id&page=1");
                            exit;
                        }
                    }
                }
                else
                {
                    
    header("Location: SubmitImage.php?e=4");
                    return 
    0;
                }
            }
            else
            {
                
    header("Location: SubmitImage.php?e=1");
                exit;
            }
        } 
    I'm hoping this image uploader is safe and would be fine to put on a public website.

    Also if there's some way I can improve my code it'd be nice if you could help me with that as well.

    Thank you in advance, I appreciate the help.
    Last edited by Haydz; 11-24-2012 at 05:11 AM. Reason: Used [PHP] codes instead of [CODE]

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,090
    Thanks
    51
    Thanked 506 Times in 493 Posts
    Nope. You've mixed html directly with php code and there are no <?php or ?> tags to seperate the two. If you look in your php box in your post, you will see that most of your php is red - starting after a ' in your html. It only returns to normal at another '

    Just try running that code now (which you clearly haven't otherwise you'd have discovered it doesn't work already) because you're in for a bit of a surprise..
    My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!

  • #3
    Regular Coder Custard7A's Avatar
    Join Date
    Jul 2010
    Location
    Australia
    Posts
    286
    Thanks
    32
    Thanked 33 Times in 33 Posts
    There's also no form tags, and stuff.

    I'd like to believe the HTML was dumped at the top there because he felt it should be included as part of the preview, and the working file isn't actually that messed up..

  • #4
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    332
    Thanks
    2
    Thanked 47 Times in 46 Posts
    There are more image formats not included in the script. GIF which is one of the most popular formats is not. But if you don't want to allow animated GIFs, thats okay.

    Although there's a way to detect animated GIFs and maybe skip them as they may cause problems if you want to resize, create thumbnails or do other kinds of image manipulation. Check out.

    http://it.php.net/manual/en/function...mgif.php#59787

  • Users who have thanked Redcoder for this post:

    Haydz (11-24-2012)

  • #5
    New Coder
    Join Date
    Jul 2011
    Location
    New Zealand
    Posts
    30
    Thanks
    11
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by tangoforce View Post
    Nope. You've mixed html directly with php code and there are no <?php or ?> tags to seperate the two. If you look in your php box in your post, you will see that most of your php is red - starting after a ' in your html. It only returns to normal at another '

    Just try running that code now (which you clearly haven't otherwise you'd have discovered it doesn't work already) because you're in for a bit of a surprise..
    Sorry I just copy and pasted the parts of the uploader directly from the script to the website. The script works perfectly fine I'm just wondering if it's considered safe and wouldn't cause any trouble if the public used it.


    Quote Originally Posted by Redcoder View Post
    There are more image formats not included in the script. GIF which is one of the most popular formats is not. But if you don't want to allow animated GIFs, thats okay.

    Although there's a way to detect animated GIFs and maybe skip them as they may cause problems if you want to resize, create thumbnails or do other kinds of image manipulation. Check out.

    http://it.php.net/manual/en/function...mgif.php#59787
    Cheers for the link mate, I'll add that to my script.

  • #6
    rgb
    rgb is offline
    New Coder
    Join Date
    Jul 2011
    Posts
    17
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Validating the file type simply by checking the file extension is very dangerous. It's relatively easy for hackers to append a malicious script inside an image file. Even using GD functions to verify that the file is a genuine image is not foolproof.
    I once ran a picture hosting service using a simple upload script and had a dedicated server completely subverted by hackers.

  • Users who have thanked rgb for this post:

    Haydz (11-25-2012)

  • #7
    New Coder
    Join Date
    Jul 2011
    Location
    New Zealand
    Posts
    30
    Thanks
    11
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by rgb View Post
    Validating the file type simply by checking the file extension is very dangerous. It's relatively easy for hackers to append a malicious script inside an image file. Even using GD functions to verify that the file is a genuine image is not foolproof.
    I once ran a picture hosting service using a simple upload script and had a dedicated server completely subverted by hackers.
    Thank you for the response, that's unfortunate but at least I didn't put the script up for public viewing. Do you know of any methods which can keep my servers safe? Thank you very much.

  • #8
    Regular Coder LearningCoder's Avatar
    Join Date
    Jan 2011
    Location
    The Pleiades
    Posts
    912
    Thanks
    76
    Thanked 28 Times in 28 Posts
    I was once doing an upload script but for gaming demo files. I was told there is a way to check the file using headers, which is the safest way possible.

    Due to still being relatively new to PHP coding, I gave up on it as I couldn't understand the concept.

    I'd take a look at using headers to read files or maybe someone else here could give you a little more information in depth.

    Kind regards,

    LC.

  • #9
    Regular Coder Custard7A's Avatar
    Join Date
    Jul 2010
    Location
    Australia
    Posts
    286
    Thanks
    32
    Thanked 33 Times in 33 Posts
    Headers are sent from — and therefore, can be manipulated by — the client. Checking the file mime-type or whatever there is in the headers may be a good idea, but make sure you treat it like any other user submitted data that can't be trusted.

  • Users who have thanked Custard7A for this post:

    LearningCoder (11-26-2012)

  • #10
    rgb
    rgb is offline
    New Coder
    Join Date
    Jul 2011
    Posts
    17
    Thanks
    0
    Thanked 2 Times in 2 Posts
    I was overwhelmed by the ingenuity of hackers and closed my picture upload site. But if I were to do it again I would:

    Upload the files to a folder below the public_html root so that it was not public.

    Change the folder permissions to be non executable.

    Change the filenames to something random as they were uploaded - this is a good thing anyway because lots of people put spaces and undesirable characters in file names.

    Allow access to the images via a php script in the public area which fetches them for download.

    ....but I'm no security expert.

  • #11
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    332
    Thanks
    2
    Thanked 47 Times in 46 Posts
    Too check for viruses to make sure that the files are safe....you can use the VirusTotal API. Its free, athough it hass some limits to the number of files you can send per minute(4 per minute). You can look for Paid API's if your service will be commercial or if you will have many users uploading images . Or you can use Cron Jobs to send unscanned files later when users are not uploading any.

    https://www.virustotal.com/documentation/public-api/


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •