[thelist] Fwd: PHP file upload: how to make it safe?
Beau Hartshorne
beau at members.evolt.org
Tue Aug 20 06:51:01 CDT 2002
No, that code is not as safe as it could be. There are a few PHP
functions that will help you out. They are described in this php manual
chapter:
http://www.php.net/manual/en/features.file-upload.php
(Look for the is_uploaded_file() and move_uploaded_file() functions.)
Cheers,
Beau
> How secure would you consider this code? (See below)
>
> Thanks a lot :)
>
> Mike
>
> >Date: Fri, 16 Aug 2002 10:57:34 +0200
> >To: thelist at lists.evolt.org
> >From: m u i n a r <muinar at gmx.net>
> >Subject: PHP file upload: how to make it safe?
> >
> >Hi all
> >
> >How dangerous is a public file upload?
> >
> >I'm checking for file type, size and image dimensions (see following
PHP
> >code snippet). If it has a width, it should be an image, and image
files
> >can't be self-executing and harm the server - ?
> >
> > $imageDim = getimagesize( $img1 );
> > $img1Width = $imageDim[ 0 ];
> > $img1Height = $imageDim[ 1 ];
> > $type1 = $HTTP_POST_FILES['img1']['type'];
> > if( substr_count( $type1,"jpeg" ) != 0 and $img1Width *
> > $img1Height <= 5000 )
> > {
> > $newFile = "cat_" . $id . ".jpg";
> > copy( "$img1", "$dirName/$newFile" );
> > $textJpg = "Image uploaded.";
> > }
> >
> >Is it still possible to fake all three criteria and upload something
> >dangerous? Or, generally asked: Is it less secure than a normal
website
> >without file upload?
> >
> >Most likely the upload part will be after user login *and* probably
> >after credit card payment.
> >
> >Thanks for any insights... :)
> >
> >Mike
>
> --
> For unsubscribe and other options, including
> the Tip Harvester and archive of thelist go to:
> http://lists.evolt.org Workers of the Web, evolt !
More information about the thelist
mailing list