Databases
StackOverflow2013
Postsdbo
POPHP image upload security check list
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POPHP image upload security check list
    text
    copied!<p>I am programming a script to upload images to my application. Are the following security steps enough to make the application safe from the script side?</p> <ul> <li>Disable PHP from running inside the upload folder using .httaccess.</li> <li>Do not allow upload if the file name contains string "php".</li> <li>Allow only extensions: jpg,jpeg,gif and png.</li> <li>Allow only image file type.</li> <li>Disallow image with two file type.</li> <li>Change the image name.</li> <li>Upload to a sub-directory not root directory.</li> </ul> <p>This is my script:</p> <pre><code> $filename=$_FILES['my_files']['name']; $filetype=$_FILES['my_files']['type']; $filename = strtolower($filename); $filetype = strtolower($filetype); //check if contain php and kill it $pos = strpos($filename,'php'); if(!($pos === false)) { die('error'); } //get the file ext $file_ext = strrchr($filename, '.'); //check if its allowed or not $whitelist = array(".jpg",".jpeg",".gif",".png"); if (!(in_array($file_ext, $whitelist))) { die('not allowed extension,please upload images only'); } //check upload type $pos = strpos($filetype,'image'); if($pos === false) { die('error 1'); } $imageinfo = getimagesize($_FILES['my_files']['tmp_name']); if($imageinfo['mime'] != 'image/gif' &amp;&amp; $imageinfo['mime'] != 'image/jpeg'&amp;&amp; $imageinfo['mime'] != 'image/jpg'&amp;&amp; $imageinfo['mime'] != 'image/png') { die('error 2'); } //check double file type (image with comment) if(substr_count($filetype, '/')&gt;1){ die('error 3') } // upload to upload direcory $uploaddir = 'upload/'.date("Y-m-d").'/' ; if (file_exists($uploaddir)) { } else { mkdir( $uploaddir, 0777); } //change the image name $uploadfile = $uploaddir . md5(basename($_FILES['my_files']['name'])).$file_ext; if (move_uploaded_file($_FILES['my_files']['tmp_name'], $uploadfile)) { echo "&lt;img id=\"upload_id\" src=\"".$uploadfile."\"&gt;&lt;br /&gt;"; } else { echo "error"; } </code></pre> <p>Any new tips are welcome :)</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload