Secure Image Upload in PHP?

[snike]

I wanted to make a image upload script in PHP, but I didn't want users to able to upload executable scripts with a .png, etc extension. Is there a way I can make a secure image upload script that only uploads images?

Thanks in advance.

 

[chadsmith]

[FONT="myriad pro, helvetica, Arial,sans-serif"]If you're looking for a full script, I have an open source one at imagepng.com. I'm about to release an update that adds user accounts so I'm looking for beta testers.[/FONT]

 

[Dave]

Just some tips:

• Make sure to always get the last extension of the uploaded filename. That means don't just explode by the periods and expect it to be the second one because hackers can just do filename.jpg.jpg.jpg.jpg.jpg.EXE
• Check out PHP: Exif - Manual
• Verify file size
• Research about XSS attacks and SQL injection.

Do your best to prevent these little problems and you will have a better secured script. I am sure others can help you think of stuff I am forgetting.

 

[snike]

Thanks.

Is it possible to have a executable file that has a .png, etc. extension?

I'll take a look at that script after this post, chadsmith.

 

[kleszcz]

[FONT="myriad pro, helvetica, Arial,sans-serif"]If you're looking for a full script, I have an open source one at imagepng.com. I'm about to release an update that adds user accounts so I'm looking for beta testers.[/FONT]

It almost works like TwitPic! Thanks for sharing the great script.