Secure Image Upload in PHP?

snike · 08-25-2009, 11:41 AM

I wanted to make a image upload script in PHP, but I didn't want users to able to upload executable scripts with a .png, etc extension. Is there a way I can make a secure image upload script that only uploads images?

Thanks in advance.

chadsmith · 08-26-2009, 09:08 PM

If you're looking for a full script, I have an open source one at imagepng.com. I'm about to release an update that adds user accounts so I'm looking for beta testers.

Dave · 08-26-2009, 11:31 PM

Just some tips:

Make sure to always get the last extension of the uploaded filename. That means don't just explode by the periods and expect it to be the second one because hackers can just do filename.jpg.jpg.jpg.jpg.jpg.EXE
Check out PHP: Exif - Manual
Verify file size
Research about XSS attacks and SQL injection.

????: NamePros.com http://www.namepros.com/programming/605734-secure-image-upload-in-php.html
Do your best to prevent these little problems and you will have a better secured script.

I am sure others can help you think of stuff I am forgetting.

snike · 08-28-2009, 11:52 PM

Thanks.

Is it possible to have a executable file that has a .png, etc. extension?

I'll take a look at that script after this post, chadsmith.

kleszcz · 11-14-2009, 12:06 PM

Originally Posted by chadsmith

If you're looking for a full script, I have an open source one at imagepng.com. I'm about to release an update that adds user accounts so I'm looking for beta testers.

It almost works like TwitPic! Thanks for sharing the great script.

08-25-2009, 11:41 AM	THREAD STARTER #1 (permalink)
snike NamePros Regular Join Date: Mar 2006 Location: USA Posts: 497	Secure Image Upload in PHP? I wanted to make a image upload script in PHP, but I didn't want users to able to upload executable scripts with a .png, etc extension. Is there a way I can make a secure image upload script that only uploads images? Thanks in advance.

08-26-2009, 09:08 PM	#2 (permalink)
chadsmith NamePros Regular Join Date: Jul 2008 Location: Wichita, KS Posts: 287 Follow @chadsmith	If you're looking for a full script, I have an open source one at imagepng.com. I'm about to release an update that adds user accounts so I'm looking for beta testers. __________________ Free Services: Alertable.com, DetectMobileBrowser.com, DropCart.com, FreeCronJobs.com, HTMLDTD.com, ImagePNG.com, NoCart.com, phpMyLogin.com, RandomTweeps.com, SearchFriendlyURLs.com For Sale: Keyword Domains / Generics See Also:: Google Voice Add-on for Firefox, Google Wave Add-on for Firefox

08-26-2009, 11:31 PM	#3 (permalink)
Dave Senior Member Join Date: Jun 2007 Location: NamePros.com Posts: 1,485	Just some tips: Make sure to always get the last extension of the uploaded filename. That means don't just explode by the periods and expect it to be the second one because hackers can just do filename.jpg.jpg.jpg.jpg.jpg.EXE Check out PHP: Exif - Manual Verify file size Research about XSS attacks and SQL injection. ????: NamePros.com http://www.namepros.com/programming/605734-secure-image-upload-in-php.html Do your best to prevent these little problems and you will have a better secured script. I am sure others can help you think of stuff I am forgetting.

08-28-2009, 11:52 PM	THREAD STARTER #4 (permalink)
snike NamePros Regular Join Date: Mar 2006 Location: USA Posts: 497	Thanks. Is it possible to have a executable file that has a .png, etc. extension? I'll take a look at that script after this post, chadsmith.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)