Would like to check if my image uploader is considered safe.
Hi guys, I have recently done some small edits on a image uploader script I found while browsing the forums and if possible would appreciate some advice / tips from more experienced users. I'm interested in knowing if my image uploader is safe and would be suitable for a public website.
PHP Code:
//Select the image you'd like to upload and add a description for it.
<br><input name='image_upload_box' type='file' id='image_upload_box' size='40'/><br> <input name='submitted_form' type='hidden' id='submitted_form' value='image_upload_form' /> <br><b>Post a brief description about your photo, what's happening, when it happened or any other details you feel could be interesting for the user viewing.</b><br><textarea style='font-family: Arial' name='story' rows='7' cols='65'></textarea><br><br>
//Upload the image to the server and redirect them to their uploaded image.
Nope. You've mixed html directly with php code and there are no <?php or ?> tags to seperate the two. If you look in your php box in your post, you will see that most of your php is red - starting after a ' in your html. It only returns to normal at another '
Just try running that code now (which you clearly haven't otherwise you'd have discovered it doesn't work already) because you're in for a bit of a surprise..
//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.
I'd like to believe the HTML was dumped at the top there because he felt it should be included as part of the preview, and the working file isn't actually that messed up..
There are more image formats not included in the script. GIF which is one of the most popular formats is not. But if you don't want to allow animated GIFs, thats okay.
Although there's a way to detect animated GIFs and maybe skip them as they may cause problems if you want to resize, create thumbnails or do other kinds of image manipulation. Check out.
Nope. You've mixed html directly with php code and there are no <?php or ?> tags to seperate the two. If you look in your php box in your post, you will see that most of your php is red - starting after a ' in your html. It only returns to normal at another '
Just try running that code now (which you clearly haven't otherwise you'd have discovered it doesn't work already) because you're in for a bit of a surprise..
Sorry I just copy and pasted the parts of the uploader directly from the script to the website. The script works perfectly fine I'm just wondering if it's considered safe and wouldn't cause any trouble if the public used it.
Quote:
Originally Posted by Redcoder
There are more image formats not included in the script. GIF which is one of the most popular formats is not. But if you don't want to allow animated GIFs, thats okay.
Although there's a way to detect animated GIFs and maybe skip them as they may cause problems if you want to resize, create thumbnails or do other kinds of image manipulation. Check out.
Validating the file type simply by checking the file extension is very dangerous. It's relatively easy for hackers to append a malicious script inside an image file. Even using GD functions to verify that the file is a genuine image is not foolproof.
I once ran a picture hosting service using a simple upload script and had a dedicated server completely subverted by hackers.
Validating the file type simply by checking the file extension is very dangerous. It's relatively easy for hackers to append a malicious script inside an image file. Even using GD functions to verify that the file is a genuine image is not foolproof.
I once ran a picture hosting service using a simple upload script and had a dedicated server completely subverted by hackers.
Thank you for the response, that's unfortunate but at least I didn't put the script up for public viewing. Do you know of any methods which can keep my servers safe? Thank you very much.
I was once doing an upload script but for gaming demo files. I was told there is a way to check the file using headers, which is the safest way possible.
Due to still being relatively new to PHP coding, I gave up on it as I couldn't understand the concept.
I'd take a look at using headers to read files or maybe someone else here could give you a little more information in depth.
Headers are sent from — and therefore, can be manipulated by — the client. Checking the file mime-type or whatever there is in the headers may be a good idea, but make sure you treat it like any other user submitted data that can't be trusted.
I was overwhelmed by the ingenuity of hackers and closed my picture upload site. But if I were to do it again I would:
Upload the files to a folder below the public_html root so that it was not public.
Change the folder permissions to be non executable.
Change the filenames to something random as they were uploaded - this is a good thing anyway because lots of people put spaces and undesirable characters in file names.
Allow access to the images via a php script in the public area which fetches them for download.
Too check for viruses to make sure that the files are safe....you can use the VirusTotal API. Its free, athough it hass some limits to the number of files you can send per minute(4 per minute). You can look for Paid API's if your service will be commercial or if you will have many users uploading images . Or you can use Cron Jobs to send unscanned files later when users are not uploading any.
Before you post, read our: 
