[PHP] image upload - security

Peter B · 06-12-2006 4:55pm #1

I have created an upload service on my website for members to upload avitars. I have set it to be able to upload a file. Now I want to verify the file is a valid image file and nothing malicious.

I can easily get the dimensions (W x H) etc. Does that validate 100% that the file is an image and not malicious? Does it mean the file is safe against XSS (Even though I have tried to avoid GET variables)?

I have read through http://us2.php.net/features.file-upload and still do not know what is 100% safe. A lot of the advice seems to contradict itself.

Does anyone have a checklist for php image file uploads to validate file is safe and a valid image?

kdouglas · 07-12-2006 12:54am

might want to have a look at http://www.php.net/manual/en/function.mime-content-type.php aswell, check the actual file type and not just rely on the extension...

Civilian_Target · 09-12-2006 1:01am

The important thing with security is to be rigourous. So first check the POST array is valid (ie. it's not attempting to do something malicious instead of uploading an image), then check you've got an image (like kdouglas says) and then, by using some image manipulation stuff you can get dimensions and stuff.

Checking dimensions is usually fairly safe, but it never hurts to check a bit more if you're writing production code.

Nothing wrong with GET variables btw, so long as you check them thoroughly before you use them, and you don't put in anything that translates directly to SQL!

[PHP] image upload - security

Comments