5 Replies - 930 Views - Last Post: 22 December 2011 - 06:08 AM Rate Topic: -----

#1 mikelash  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 94
  • Joined: 17-June 11

how do i make my file uploader safe

Posted 22 December 2011 - 12:48 AM

i have a file uploader so that people can upload their profile images on the site. i had a problme with a hacker not to long ago and he loaded up a hacked page. how can i make it so it only loads image files?
Is This A Good Question/Topic? 0
  • +

Replies To: how do i make my file uploader safe

#2 creativecoding  Icon User is offline

  • Hash != Encryption
  • member icon


Reputation: 931
  • View blog
  • Posts: 3,216
  • Joined: 19-January 10

Re: how do i make my file uploader safe

Posted 22 December 2011 - 12:51 AM

Check the image extension.

Also, show us your code.
Was This Post Helpful? 0
  • +
  • -

#3 mikelash  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 94
  • Joined: 17-June 11

Re: how do i make my file uploader safe

Posted 22 December 2011 - 12:55 AM

$path = "upload/";

$path = $path . basename( $_FILES['photofile']['name']);
mysql_query("UPDATE members SET image = '$path' WHERE username = '$name'");
if(move_uploaded_file($_FILES['photofile']['tmp_name'], $path)) {

echo "Successful upload of ". basename( $_FILES['photofile']['name']);

} else{

echo "Error when uploading the picture it may be to big try uploading another.";

}

?>


This post has been edited by mikelash: 22 December 2011 - 12:55 AM

Was This Post Helpful? 0
  • +
  • -

#4 hackterr  Icon User is offline

  • D.I.C Regular

Reputation: 21
  • View blog
  • Posts: 293
  • Joined: 13-August 09

Re: how do i make my file uploader safe

Posted 22 December 2011 - 03:21 AM

Actually just checking extension is useless as a php or html page can be sent with a jpg extension and later changed. What you need to do is save the uploaded file to a directory and disable public access to that directory.
Also you could check its binary (hex) for file type headers which define what kind of file it is.
that is check for jpeg markers in case of a jpeg file and refuse to upload if the file is anything but an image.
Was This Post Helpful? 1
  • +
  • -

#5 floppyspace  Icon User is offline

  • D.I.C Regular

Reputation: 48
  • View blog
  • Posts: 256
  • Joined: 04-February 10

Re: how do i make my file uploader safe

Posted 22 December 2011 - 05:54 AM

I recently read this (had to implement similar recently), it is a bit outdated but helps explain how you could possibly be attacked:

upload

Cheers
Floppy
Was This Post Helpful? 2
  • +
  • -

#6 e_i_pi  Icon User is offline

  • = -1
  • member icon

Reputation: 879
  • View blog
  • Posts: 1,893
  • Joined: 30-January 09

Re: how do i make my file uploader safe

Posted 22 December 2011 - 06:08 AM

The PHP function getimagesize() returns false if the parameter passed is not an image, so you could use something like this:
if (!getimagesize($_FILES['imagefile']['tmp_name']))
{
   // Failure code here
} else {
  // Success code here
}



EDIT: The link in the post by floppyspace is well worth the read, it's a pretty comprehensive guide to preventing malicious attacks via file upload

This post has been edited by e_i_pi: 22 December 2011 - 06:18 AM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1