I would like to have a check whether an uploaded file sent via email and not saved in the DB, allow only the following extensions.
Is this something secure?
$allowed = array('pdf','doc');
$filename = $_FILES['video_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array($ext,$allowed) ) {
echo 'error';
}
No it isn't (a file could have two extensions : image.php.jpg).
If you are planning to upload only images, one good thing is to try to get image size with getimagesize and remove it from temp folder if it returns false
Related
I have written a php script which checks the image file for its extension, such as JPG, JPEG, PNG, GIF, uploaded through an HTML form.
Now comes my problem: anyone may upload any kind of file by giving it an extension of JPG, JPEG, PNG, GIF.
Can someone help me on that? One should strictly be able to upload only an image file and not any other file which carries just extension of Image file.
I tried hard... but failed... Here is the php script I have written
CHECK MY FULL CODE I HAVE WRITTEN & ITS WORKING FINE BUT WHEN I CHANGE ANY FILE EXTENSION WITH IMAGE EXTENSION ITS ALLOWING UPLOAD ON SERVER WHICH IS NOT SERCURE PLEASE SEE THIS FULL CODE AND ADD SOLUTION , THIS WILL HELP OTHERS TOO -THANK YOU https://www.dropbox.com/s/prza75dyo7usjqy/secure%20image%20upload%20with%20checking%20extension.txt?dl=0
if (isset($_POST['submit']))
$filename = $_FILES["file"]["name"];
$file_basename = substr($filename, 0, strripos($filename, '.')); // get file extention
$file_ext = substr($filename, strripos($filename, '.')); // get file name
$filesize = $_FILES["file"]["size"];
$allowed_file_types = array('.jpg','.png','.jpeg','.gif');
//instead of allowed file type i want to check image authenticity with MIME
if (in_array($file_ext,$allowed_file_types) && ($filesize < 100000))
You should use the fileinfo API, which makes you able to check a file MIME content-type by looking at its bytes, not its name.
An image MIME type always starts with image/, for example image/png.
$finfo = new finfo();
$mimeType = $finfo->file($_FILES['file']['tmp_name'], FILEINFO_MIME_TYPE);
$isImage = strpos($mimeType, 'image/') === 0;
If you want to be very restrictive on your allowed images, check the list of available MIME types.
Edit: be more specific
if (isset($_POST['submit'])) {
$filename = $_FILES["file"]["tmp_name"];
$filesize = $_FILES["file"]["size"];
$allowed_file_types = array('image/jpeg','image/png','image/gif');
$finfo = new finfo();
$mimeType = $finfo->file($filename, FILEINFO_MIME_TYPE);
$isImage = in_array($mimeType, $allowed_file_types);
if ($isImage && $filesize < 100000) {
The most secure way to check if something is really an image, is to open the file as an image and then re-generate it.
Things that are valid images can still carry loads of other information and sometimes can trick whatever is reading it. So the most safe thing is to take the pixels from the image, and regenerate it.
Extensions like fileinfo only check the first few bytes for a marker, but it's not 100% reliable. It might be good enough for you
I have REST API written in PHP and base on Slim Framework.
use Slim\Http\UploadedFile;
$uploadedFiles = $request->getUploadedFiles();
$uploadedFile = $uploadedFiles['myFileName'];
How should i protect file uploading script? I want not only to set limits to file size but also protect my web server from uploading anything except images (jpg, png). What are the best practices for file uploading scripts in Slim?
You can limit the upload filesize limit in your server's php.ini, simply change the value of the upload_max_filesize directive to the maximum limit you want.
As for only allowing certain filetypes, you can achieve this using something like the following:
<?php
$extension = pathinfo($uploadedFile, PATHINFO_EXTENSION);
$allowed = ["image/jpeg", "image/png"];
if(!in_array($extension, $allowed)) {
$error = "File type is not allowed!";
}
I'm trying to add the file extension to my file during upload. Since i'm finding it hard to do, i've already hard coded it to in small case .jpeg in my script. How do i get rid of the hard coded file extension and dynamically replace it with the original uploaded one because it could be gif, pdf etc.
<?php
$def_date=strtotime(date('Y-m-d H:i:s'));
$rename = "gwcl_".rand(0,1000000000000).$def_date.".jpg";
$file_loc = $_FILES['file']['tmp_name'];
$folder="../complains_photos/";
$new_file_name = strtolower($rename);
move_uploaded_file($file_loc,$folder.$new_file_name);
echo $new_file_name
?>
$_FILES['file']['tmp_name'] that you're using contains a temporary filename for the uploaded file. But if you want the original filename, including extension, then use $_FILES['file']['name'].
I want to ask, if I have a web form, and people use it to upload something to my db. If 2 persons uploaded the same file with the same name, in the uploads directory, one of them will replace the other. So I need to change the name of every file uploaded to db to : filename201405051200.pdf or jpg or...
Here we have the filename per example image1 and the numbers are the date and time of the uploads. So any help. I am using the code shown as an answer in the link below:
Uploading blob files/images into Mysql
I used this code:
$path = "../uploads/".$_FILES['file']['name'];
if(move_uploaded_file($_FILES["file"]["tmp_name"], $path.'_'.time())){
...
}
but now the format type of the file is replaced by the time. So if it is img.jpg it is now img85890338jpg and wont open properly
You can use pathinfo to extract the file extension:
$fileExt = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
After that you can create your new file name:
if(move_uploaded_file($_FILES["file"]["tmp_name"], $path.'_'.time().date().'.'.$fileExt)) {
}
I know this topic is widely talked about. I've done my research, and decided to store image files onto the server instead of the DB as a blob file. The problem that I am having is trying to figure out the best way to upload the file, store it in a designated folder then storing the destination in the db..say../img/something.jpg - I've tried looking through many resources but most of them are missing some important steps in the process.
Problems:
Finding a secure way for uploading the img file
Limiting the file
size Uploading the image to a destination file
Storing the destination file as a text in the DB
I'm using PHP and MySQL.
Dunno what all your points about, but what you really have to be concerned with is
check for the file extension.
extract it from the filename and compare with allowed ones.
also it would be good to check filename to have only one dot, or at least it doesn't have a name like name.html.jpg, due to some odd Apache behavior.
check for the file contents. the best way would be to create a brand new image out of the uploaded one.
take usual precautions while working with DB.
Here you go, this covers the basic ideas of what you want to do:
<?php
$allowedTypes = array("image/jpg", "image/jpeg", "image/png");
$maxSize = 3 * 1024 * 1024; // 3Mb
$fileType = $_FILES["file"]["type"];
$fileSize = $_FILES["file"]["size"];
// check if there was an error
if ($_FILES["file"]["error"] > 0)
{
die($_FILES["file"]["error"]);
}
// check if the filetype is valid
if (!in_array($fileType, $allowedTypes))
{
die("Invalid file type: $fileType");
}
// check if the size doesn't exceed the limitations
if ($fileSize > $maxSize)
{
die("The file was too big: $fileSize");
}
$name = $_FILES["file"]["name"];
$tmpfile = $_FILES["file"]["tmp_name"];
// check if the filename is valid
if (preg_match("/[\w-]+\.(jpg|jpeg|png)$/", $name) != 1)
{
die("Invalid file name: $name");
}
// create unique name if needed
$path = "/var/www/images/" . $name;
move_uploaded_file($tmpfile, $path);
// add the filepath to mysql
mysql_connect("localhost", "username", "password");
mysql_select_db("imagedb");
mysql_query("INSERT INTO images (Location, Size) VALUES ('$path', '$size');");
?>
This is meant to show how it could be done.
read this
personally I'd use imgur which is used here on stackexchange websites