[thelist] Fwd: PHP file upload: how to make it safe?

m u i n a r muinar at gmx.net
Mon Aug 19 10:13:01 CDT 2002


How secure would you consider this code? (See below)

Thanks a lot   :)

Mike

>Date: Fri, 16 Aug 2002 10:57:34 +0200
>To: thelist at lists.evolt.org
>From: m u i n a r <muinar at gmx.net>
>Subject: PHP file upload: how to make it safe?
>
>Hi all
>
>How dangerous is a public file upload?
>
>I'm checking for file type, size and image dimensions (see following PHP
>code snippet). If it has a width, it should be an image, and image files
>can't be self-executing and harm the server - ?
>
>         $imageDim = getimagesize( $img1 );
>         $img1Width = $imageDim[ 0 ];
>         $img1Height = $imageDim[ 1 ];
>         $type1 = $HTTP_POST_FILES['img1']['type'];
>         if( substr_count( $type1,"jpeg" ) != 0 and $img1Width *
> $img1Height <= 5000 )
>                 {
>                 $newFile = "cat_" . $id . ".jpg";
>                 copy( "$img1", "$dirName/$newFile" );
>                 $textJpg = "Image uploaded.";
>                 }
>
>Is it still possible to fake all three criteria and upload something
>dangerous? Or, generally asked: Is it less secure than a normal website
>without file upload?
>
>Most likely the upload part will be after user login *and* probably
>after credit card payment.
>
>Thanks for any insights...  :)
>
>Mike




More information about the thelist mailing list