make upload file (move_uploaded_file) secure for public usage

crmpicco · 10-22-2007, 09:00 PM

PHP Code:


			
/* UPLOADING FILE */

$target_path = "../images/gallery/";

$target_path = $target_path . basename( $_FILES['filename']['name']); 



if(move_uploaded_file($_FILES['filename']['tmp_name'], $target_path)) {

      echo "The file ".  basename( $_FILES['filename']['name']). 

        " has been uploaded";

} else {

      echo "There was an error uploading the file, please try again!";

}



$filename = basename( $_FILES['filename']['name']);

Form element:

Code:

<input type="file" name="filename" id="filename" class="textbox" size="40">

I am looking to make my code as secure as possible, it's basically taking a image from the form field and moving it to a directory on the server. I would also like to check what the file type is - as i'm only wanting to allow gif, png, jpg, bmp etc......

I know that the code isn't safe enough to put up live at the moment.......

Cheers,
Picco

Inigoesdr · 10-22-2007, 09:38 PM

You can check if the image is valid by creating an image pointer with it via imagecreatefromjpeg() for example if it is a jpeg, and testing the return.

PHP Code:


			
$im = imagecreatefromjpeg('/path/to/image.jpg');
if(!$im)
{
    // failed, err msg
}
else
{
    // valid
}
imagedestroy($im);

There are of course examples and comments in the manual that can help you further.

idalatob · 10-23-2007, 08:52 AM

To make sure that it is an image you can try using getimagesize on the uploaded image, or you can try using this little stunner:

PHP Code:


			
$filename = $_FILES['image_upload']
$mime_type = explode("/", $filename['type']); 
if ($mime_type[0] == "image"){ /*Success*/} else { /*failure*/}

crmpicco · 10-27-2007, 07:20 PM

thanks for those replies, however I noticed that the first example is using imagecreatefromjpeg. Which i take it would only work if the image uploaded was infact a .jpg file.

The second example is using $mime_type which looks good, but is that a built-in PHP function?

Picco

Fumigator · 10-27-2007, 10:19 PM

Use imagecreatefromgif() and imagecreatefrompng() as well. (Windows BMP files will require a 3rd party function which you can download from JPEXS).

10-22-2007, 09:00 PM	PM User \| #1
crmpicco Senior Coder Join Date: Jan 2005 Location: Mauchline, Scotland Posts: 1,043 Thanks: 15 Thanked 1 Time in 1 Post	make upload file (move_uploaded_file) secure for public usage PHP Code: `/* UPLOADING FILE / $target_path = "../images/gallery/"; $target_path = $target_path . basename( $_FILES['filename']['name']); if(move_uploaded_file($_FILES['filename']['tmp_name'], $target_path)) { echo "The file ". basename( $_FILES['filename']['name']). " has been uploaded"; } else { echo "There was an error uploading the file, please try again!"; } $filename = basename( $_FILES['filename']['name']);` Form element: Code: <input type="file" name="filename" id="filename" class="textbox" size="40"> I am looking to make my code as secure as possible, it's basically taking a image from the form field and moving it to a directory on the server. I would also like to check what the file type is - as i'm only wanting to allow gif, png, jpg, bmp etc...... I know that the code isn't safe enough to put up live at the moment....... Cheers, Picco __________________ Ayrshire Minis - a Mini E-Community* \| Ballochmyle Web Solutions \| Follow Me on Twitter

10-22-2007, 09:38 PM	PM User \| #2
Inigoesdr Moderator Join Date: Mar 2007 Location: Florida, USA Posts: 2,529 Thanks: 1 Thanked 222 Times in 215 Posts	You can check if the image is valid by creating an image pointer with it via imagecreatefromjpeg() for example if it is a jpeg, and testing the return. PHP Code: `$im = imagecreatefromjpeg('/path/to/image.jpg'); if(!$im) { // failed, err msg } else { // valid } imagedestroy($im);` There are of course examples and comments in the manual that can help you further.

10-23-2007, 08:52 AM	PM User \| #3
idalatob Regular Coder Join Date: Sep 2007 Location: Grahamstown, South Africa Posts: 125 Thanks: 5 Thanked 7 Times in 7 Posts	image validation To make sure that it is an image you can try using getimagesize on the uploaded image, or you can try using this little stunner: PHP Code: `$filename = $_FILES['image_upload'] $mime_type = explode("/", $filename['type']); if ($mime_type[0] == "image"){ /Success/} else { /failure/}`

10-27-2007, 07:20 PM	PM User \| #4
crmpicco Senior Coder Join Date: Jan 2005 Location: Mauchline, Scotland Posts: 1,043 Thanks: 15 Thanked 1 Time in 1 Post	thanks for those replies, however I noticed that the first example is using imagecreatefromjpeg. Which i take it would only work if the image uploaded was infact a .jpg file. The second example is using $mime_type which looks good, but is that a built-in PHP function? Picco __________________ Ayrshire Minis - a Mini E-Community \| Ballochmyle Web Solutions \| Follow Me on Twitter

10-27-2007, 10:19 PM	PM User \| #5
Fumigator Master Coder Join Date: Dec 2005 Location: Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant Posts: 6,378 Thanks: 40 Thanked 479 Times in 468 Posts	Use imagecreatefromgif() and imagecreatefrompng() as well. (Windows BMP files will require a 3rd party function which you can download from JPEXS). __________________ I heart Hostmonster PWG Computers

Thread Tools
Show Printable Version Email this Page
Rate This Thread
Rate This Thread: