| Author |
Message |
izone
Involved
Joined: Sep 07, 2004
Posts: 354
Location: Sweden
|
 Posted:
Fri Dec 23, 2005 1:34 pm |
|
I have a script for uploading images to server. But when I change a .php or other files extention to an image one (like changing image.php to image.gif) and wanted to upload it to the server this script take it as an image and upload it.
How can I force this script (php script) to check if the file is really an image file?
Best Regards and Marry Christmas! |
| |
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Fri Dec 23, 2005 2:24 pm |
|
whats the point..?
It cannot be executed and /or used.... |
| |
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Fri Dec 23, 2005 2:24 pm |
|
(Edit: Actually hitwalker, hackers use simple images files all the time to execute malicious code. While an image file itself isn't usually executable, the data can be inserted into a script that is. It's a clever way to fool people)
You're worry about security problems right?
I don't know if this makes a difference, but when you upload the file, there's a type that's attached to the file
$_FILES['uploadfile']['type']
I check that its an image
Also, I use getimagesize() to make sure I can get a width and a height from it
Maybe someone here has done better |
_________________
- Only registered users can see links on this board! Get registered or login! -
Need help? Only registered users can see links on this board! Get registered or login! |
|
|
|
izone
|
| Posted:
Fri Dec 23, 2005 2:29 pm |
|
| Quote: |
You're worry about security problems right?
|
Yes Evaders99, I am.
Here is my script for uploading an image:
Code:
if ($mode == "upload") {
$file = $_FILES['file']['name'];
$name = time() . substr($file, -4);
// If you add your own file types don't forget to add an uppercase version.
$allowedfiles[] = "gif";
$allowedfiles[] = "jpg";
$allowedfiles[] = "jpeg";
$allowedfiles[] = "png";
$allowedfiles[] = "GIF";
$allowedfiles[] = "JPG";
$allowedfiles[] = "JPEG";
$allowedfiles[] = "PNG";
if($_FILES['file']['size'] > $maxsize)
{
print "File size is too big - please reduce file size and try again.";
}
else {
$path = "$serverpath/" . $name;
foreach($allowedfiles as $allowedfile) {
if ($done <> "yes") {
if (file_exists($path)) {
echo "A file with this name already exists - please rename the file and reupload.";
exit;
}
}
|
Where and which code do I have to use to both have a better security and to could show width and a height of an image? |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Dec 23, 2005 2:33 pm |
|
yes i see,but that would make every script vunerable to abuse,ehh...how many upload/image/etc.. scripts modules does nuke have....  |
| |
|
|
|
|
izone
|
| Posted:
Fri Dec 23, 2005 2:35 pm |
|
Oh, this not a Nuke script. this is a stand alone php file I am using. Not inside the Nuke. |
| |
|
|
|
|
hitwalker
|
| Posted:
Fri Dec 23, 2005 2:44 pm |
|
ohh,well there are tons of scripts out there...making sure its a safe one is allways better.. |
| |
|
|
|
|
evaders99
|
| Posted:
Fri Dec 23, 2005 10:27 pm |
|
Too many upload scripts hehe. And still lots of code where injections can occur.
I'm not sure what your script is doing with
Code:
foreach($allowedfiles as $allowedfile) {
|
Seems your defining an array of allowed extensions. But I don't see anywhere that is used to validate the file name |
| |
|
|
|
|
izone
|
| Posted:
Sat Dec 24, 2005 5:37 am |
|
evaders99, Thanks for reply.
I found this script on the net. This is the only one I could found! If you know another script for uploading images to server I'll be greatfull to have it, please. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
