StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>Neither file extension nor mime type can give you 100% security that you are dealing with a image file. But as long as you're not going to execute the file (e.g. by using include()), that is not a problem and you do not need to check for PHP code or anything else. The only security breach imaginable using a forged image file would be something that exploits <em>the browser's</em> rendering engine. This is impossible to protect effectively against from server side and is the browser vendor's responsibility. </p> <p>So, as long as you make sure you use <a href="http://php.net/manual/en/function.is-uploaded-file.php" rel="nofollow noreferrer"><code>is_uploaded_file()</code></a> and <a href="http://php.net/manual/en/function.move-uploaded-file.php" rel="nofollow noreferrer"><code>move_uploaded_file()</code></a> when handling the upload, you should be fine, at least on the image format front. Make sure you read @bobince's post below and follow the link, it contains a bunch of great information on other security aspects when dealing with files.</p> <p>You could however, to provide totally maximum security, of course copy the image into a new image container using GD's <a href="http://de3.php.net/imagecopy" rel="nofollow noreferrer">imagecopy</a>. This would erase any ID3 and other header information contained in the file, and probably destroy any exploit attempts (GD would probably choke on such a file and return an error). This works for GIF, JPEG, and PNG only, of course, and you may run into some issues like alpha channel and colour profile problems.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload