View Full Version : Resolved how to verify images are authentic and safe before displaying them

01-17-2012, 08:05 PM
hi guys, as the title asks, i just wanted to know how to verify images are authentic and safe before displaying them in php as ive seen it on a few sites.

if its not done in php please guide me to how it is done.


01-17-2012, 08:12 PM
Seen what on a few sites? - Re-read that.. it is clear that YOU know what you're getting at but the way you describe it is as clear as mud!

I'm thinking...
Check the file extensions / mime types - if whitelisted then accept the file.

With regards to php image hacking, open the file using file_get_contents(), str_replace <? with [? and ?> with ?] and any php included in the file will then not run.

Those are the first two that come to me.

01-17-2012, 08:15 PM
sorry, basically, before loading an image, the script checks that the image is safe to display, in the sense that it isnt batched with anything, and that it wont auto redirect anyone to another site inorder to get their session

01-17-2012, 08:19 PM
Right so you're wanting to check for it running php code internally then right?

Well as mentioned, search for and replace any php tags inside the file and then save it back to the file with file_put_contents().

That way even if it does have php code it simply won't run.

01-17-2012, 08:20 PM
Open the image up and read the first four bytes out of it. This should tell you what kind of file it is, and use this data to match up the image type.
Beyond this, there is little (nothing?) you can do to catch op code issues. The threat really isn't PHP in this regard; if you are using PHP to serve the image, then it will treat the output as an image. Make sure the image is located above the site root to prevent direct access to execute it in case its not an image at all.

01-17-2012, 08:29 PM
ok thanks for your help.

ill start looking into it all and coding it.

thanks once again TF.