Users of my PHP webapp are permitted to upload PNG and JPEG images. Upload algorithm is following:
check extension by file name parsing
check extension by getimagesize()
recreate image by imagecreatefrompng()/imagepng() (imagecreatefromjpeg()/imagejpeg())
rename image
save to filesystem
Image recreation is used for security. Everything works fine. But now i need this algorithm to handle .ico files. It seems like GD doesn't work with .ico (there is no function like imagecreatefromico()), so i don`t know how to implement step 3 of my algorithm.
Thanks for any help or advice.
See https://github.com/lordelph/icofileloader for a composer-installable class which can load .ico files into a GD image.
For example:
$loader = new Elphin\IcoFileLoader\IcoFileService;
$im = $loader->extractIcon('/path/to/icon.ico', 32, 32);
See documentation for other methods of analysing and extracting images from the icon file.
Related
I have a upload image function on my web app, I tried to upload a php file with a code like this <script>alert('XSS')</script> the file is hack.php.jpg then, I upload it and it is uploaded, my fear of this is that, will the script will run and return something to the malicious user or it will ignore the script inside of the .jpg ? Here are the list of function of my upload image:
1) It will rename the image then will be saved on the folder.
2) only accepted extensions are jpg, png, jpeg .
3) file size < 1000000.
4) uniqid() used for renaming the name of the img.
5) I use unlink() and move_upload_file() for saving the img and deleting the img on the folder.
6) my <form> enctype is multipart/form-data and accept="image/*".
I learned my code in codecourse php upload file video.
How do you parse the extension of the file?
Ideally, you completely rename the file. For example to "randomhash.jpeg/jpg/png". That way it is impossible for it to ever contain the ".php" extension.
Another thing you can do is disable PHP code execution (in nginx or Apache) in the folder where you store your images.
You can also additionally make use of the functions getimagesize and exif_imagetype to check for it being a valid image. Just keep in mind that those functions are not foolproof.
I am creating thumbnails of image using phpthumb, its working fine for other formates except bmp file. The Method GenerateThumbnail() returning false with bmp image.
Do I need to set any parameter for the this.
You need to install imagemagick for the plugin to be able to handle bmp files.
http://phpthumb.sourceforge.net/
I want to implement validation on image files (.jpg, .png, .gif) in such a way that if a user changes the extension of html into jpeg then the system will restrict him that this file is in an invalid format. I have implement the validation on file extension, but I want to implement this validation as well.
And I am uploading video (.wav, .flv, .mp4) and audio (.mp3) files as well, and if someone upload file with wrong extension, the system will restrict him. How I can do this?
tried finfo_file - required pecl fileinfo, php 5.3 and above,
this function will return a REAL mime type of an uploaded file,
based on this info, you can do comparison and blocking any unwanted extension (mime)
How can I upload pdf files after scanning it through scanner feeder ? I am using OCX
plugin to upload images to server, but in the application I am working on, I have to upload PDF document to server. Can you suggest me plugin or library even if is not free, I will be very thankful.
To quote my comment
With PHP I'm pretty sure this isn't possible, how about getting the user to scan the PDF and then upload the PDF?
For example you could just get them to scan all the PDF's as .jpeg's or even .pdf's and then upload them as normal.
However you could look at ActiveX plugins for internet explorer that support this.
http://www.codeproject.com/Articles/45241/How-to-Scan-Tiff-and-PDF-from-the-Web
Or third party software that uploads via FTP to a web server:
http://www.z-scan2send.com/scan-to-web.html
For Chestysoft's csXImage I don't think a plugin with PDF support exists, however it can write PDF's. See http://www.chestysoft.com/ximage/manual.htm#sect1.8.9
csXImage can save images to PDF files. The images are always saved one per page, with the page size set equal to the image size.
And further up the manual:
The following file types are supported: .bmp, .gif, .jpg, .jpeg, .jpe, .png, .wbmp, .wbm, .pcx, .psd, .tif and .tiff.
Is it "good" to change an image file extension?
For instance, I have a jpg file inputed, and I change it to a png. Is this OK or should I leave it as a jpg?
I use the rename() to change the name and the file extension.
It is related to PHP, because I do my renaming with PHP with a upload script.
Another question is: Is it safe to do it e.g can the files become corrupt?
Changing an image file extension from .jpg to .png does not change it to a PNG file. It just changes the name of the file. This does not change the contents of the file at all, so it does not become corrupt. It only changes the name of it.
Leave file names with the appropriate extension, or you will confuse everyone, including yourself.
No, the file cannot become corrupt... a file name is just the name.
Never allow users to dictate the names of files on your system. No matter what they upload, rename it to something with no extension, and store the files outside of the web server's doc root. You don't want them uploading .php scripts and what not.
Changing the extension of file is just renaming it. The extension serves the purpose of merely defining the data type that the file contains.
Renaming a JPEG file into a PNG is therefore a very bad idea. Although some image viewers may still be able to figure out that your PNG is actually JPEG and view it correctly, others will not.
Use ImageMagick or GD 2 to do any image conversions in PHP.