Secure Image upload...

Posted: Thu Nov 11, 2010 5:21 am

I am trying to wrap my head around image uplaods and doing it correctly.

Man what a task!

So I have a form...this form allows you to upload an image.

First I am checking my MD5 session token...then running everthing through the mysql_real_escape_string

Code:

      if(isset($_POST['token']))


         {


            if($_POST['token'] != $_SESSION['token'])


               {


                  die('So Sorry...');


               }


      foreach ($_POST as $key => $value) 


         { 


            $_POST[$key] = mysql_real_escape_string($value); 


         }

If it clears al that....

I process the image.
Coming out the other side...the orginal iamge is not saved...just the 2 images that I have resized.

The code works as expected but I still want to make sure that I am not leaving myself open to attack.

Code:

      $img_one  = addslashes(check_html($_POST['img_one'], 'nohtml' ));


      $RN1 = rand();


      $img_one = $_FILES['img_one']['tmp_name'];


      if( !empty($img_one) )


         {


         


            $src1 = imagecreatefromjpeg($img_one);


            list($width1, $height1) = getimagesize($img_one);


            $newwidth1 = 600;


            $newheight1 = ($height1/$width1)*$newwidth1;


            $newwidth1_2 = 400;


            $newheight1_2 = ($height1/$width1)*$newwidth1_2;


            $tmp1 = imagecreatetruecolor($newwidth1, $newheight1);


            imagecopyresampled($tmp1,$src1,0,0,0,0,$newwidth1,$newheight1,$width1,$height1);       


            $tmp1_2 = imagecreatetruecolor($newwidth1_2,$newheight1_2);


            imagecopyresampled($tmp1_2,$src1,0,0,0,0,$newwidth1_2,$newheight1_2,$width1,$height1);


            $newpath1= "modules/path/images/profiles/".$RN1."_1.jpg";


            $newpath1_tn= "modules/path/images/profiles/".$RN1."_1_tn.jpg";


            imagejpeg($tmp1,$newpath1,600);


            imagejpeg($tmp1_2,$newpath1_tn,400);


            $img_one=$newpath1;


            $img_one_tn=$newpath1_tn;


         }

I am reading though this...
http://corpocrat.com/2008/05/04/implementing-secure-file-upload-in-php-2/

Some of this applys but some of it does not. What do you think? Have I coverad all the bases?

Thank You for your time!

Dawg

Posted: Thu Nov 11, 2010 10:30 am

why do you use addslashes() ???

Posted: Thu Nov 11, 2010 10:43 am

djmaze,

I am adding the file name to the database once the uplaod is complete. So I addslashes to all the $var before inserting.

I did not figure it would hurt...and it worked as expected.

Thank You for your time!!

Dawg

Posted: Thu Nov 11, 2010 11:08 am

Dawg, there is no point for the

Code:

     $img_one  = addslashes(check_html($_POST['img_one'], 'nohtml' ));

especailly since you are just overwriting it two lines later with

Code:

$img_one = $_FILES['img_one']['tmp_name'];

Posted: Thu Nov 11, 2010 3:42 pm

Dawg wrote:

djmaze,

I am adding the file name to the database once the upload is complete. So I addslashes to all the $var before inserting.

That is bad behavior. Use the DB layer real_escape_string().
Since nuke only supports mysql (not mysqli) use mysql_real_escape_string() UNTIL something gets fixed!

Posted: Thu Nov 11, 2010 5:10 pm

http://www.sitepoint.com/forums/showthread.php?t=337881&page=2

A very interesting artcle on all this...

So to recap...
Kill addslashes for my image code...

For all the rest of my $vars change add slashes to mysql_real_escape_string

Is that correct?

Pablin, DJMaze, I learn so much from ya'll....THANK YOU VERY MUCH FOR YOUR TIME!

DAwg