Okay, so I've got a script to write but a concern that i can't figure out.
I'm writing an image upload script but want to make sure that the images uploaded don't have a Trojan in them. There has been word of jpeg images especially that are the cause of this.
So, is there some kind of image scrubbing php module or script that I need to ensure that the pictures are bug free?
FYI, this system will use the imagemagic extension of php.
Thanks for the help all.
__________________
I need to find a book about all this stuff. God, thats gonna be one big book!
I'm sorry, I still really don't under stand it all. Those functions will verify that the jpeg image is just a jpeg?
Sorry for the bother, and thanks for the help.
__________________
I need to find a book about all this stuff. God, thats gonna be one big book!
MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)
Damn, I don't think my go daddy host has an anti virus scanner.
Thus fare they've told me that they have none of the many things i'd consider key for truly robust websites.
__________________
I need to find a book about all this stuff. God, thats gonna be one big book!
It is possible for a file to contain a valid image AND contain php code. The image content prior to the <?php tag is simply content that php would output, then the php code would be parsed and executed. There are some conditions that must be true for this exploit to be possible, such as allowing an upload file name to be completely specified from the upload form, so that such an image/php code file could be placed on the server with a file name that could be browsed to and be parsed as php code.
The various image functions (getimagesize and imagecreatefromjpeg...) will find and happily return the image portion of such an image/php code file.
Since an image would not normally contain data that looks like php code, this type of exploit could be discovered by scanning the file for php only keywords that would be used by malicious code, such as <? exec shell echo print print_r...
__________________
If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.
If you use the getimagesize(), check the file type of the file being uploaded it should narrow down the field of what files are uploaded.
Also if you expect the images to be a certain size you can also limit the size of the uploads.
Otherwise, the virus scanner is your best bet, but if you don't have that, you have to do a detailed check on every part of the file to make sure it is a jpeg file.
Wow, thanks guys, I've learned a bit in the past few minutes.
I still have one question, now that i know that the image can be more than just binary or hex, how exactly do i extract the file into a readable format?
Or am i just asking a pointless question on this one.
Thus i would only have to use some thing like this:
PHP Code:
<?php
if($_FILE['imagefile']['name']=='<?php' || $_FILE['imagefile']['name']== '<?')
{
// Either parse with imagecreatefromjpeg or throw out and ask for another file.
}
?>
__________________
I need to find a book about all this stuff. God, thats gonna be one big book!
Before you post, read our: 
