[thelist] PHP file upload: how to make it safe?
m u i n a r
muinar at gmx.net
Fri Aug 16 03:59:01 CDT 2002
Hi all
How dangerous is a public file upload?
I'm checking for file type, size and image dimensions (see following PHP
code snippet). If it has a width, it should be an image, and image files
can't be self-executing and harm the server - ?
$imageDim = getimagesize( $img1 );
$img1Width = $imageDim[ 0 ];
$img1Height = $imageDim[ 1 ];
$type1 = $HTTP_POST_FILES['img1']['type'];
if( substr_count( $type1,"jpeg" ) != 0 and $img1Width *
$img1Height <= 5000 )
{
$newFile = "cat_" . $id . ".jpg";
copy( "$img1", "$dirName/$newFile" );
$textJpg = "Image uploaded.";
}
Is it still possible to fake all three criteria and upload something
dangerous? Or, generally asked: Is it less secure than a normal website
without file upload?
Most likely the upload part will be after user login *and* probably
after credit card payment.
Thanks for any insights... :)
Mike
More information about the thelist
mailing list