I've heard that the best way to handle uploaded images is to "re-process" them using the GD library and save the processed image. see: PHP image upload security check list
My question is how do this "re-processing" in GD? What this means exactly? I don't know the GD library very well and I'm afraid I will mess it up...
So if anyone who did this before could you give me an example for this?
(I know, another other option is to use ImageMagick. For ImageMagick I found an answer here: Remove EXIF data from JPG using PHP, but I can't use ImgMagick now. By the way.. removing EXIF data means completely recreate the image in this case?)
(I'm using Zend Framework if someone interested.)
If the user uploads a JPEG file, you could do something like this to reprocess it:
$newIm = #imagecreatefromjpeg($_FILES['file']['tmp_name']);
if (!$newIm) {
// gd could not create an image from the source
// most likely, the file was not a valid jpeg image
}
You could then discard the $newIm image using imagedestroy() and use the uploaded file from the user, or save out the image from GD and use that. There could be some issues with saving the GD image as it is not the original image.
Another simple method would be to check the header (first several bytes) of the image file to make sure it is correct; for example all JPEG files begin with 0xff 0xd8.
See also imagecreatefromstring(), and you can also use getimagesize() to run similar checks on the uploaded image.
function isvalidjpeg($file)
{
$finfo = finfo_open(FILEINFO_MIME_TYPE);
return is_resource($finfo) &&
(finfo_file($finfo, $file) === 'image/jpeg') &&
finfo_close($finfo);
}
if(isvalidjpeg($_FILES['file']['tmp_name'])) {
$newIm = #imagecreatefromjpeg($_FILES['file']['tmp_name']); .....
Related
I have a site with about 1500 JPEG images, and I want to compress them all. Going through the directories is not a problem, but I cannot seem to find a function that compresses a JPEG that is already on the server (I don't want to upload a new one), and replaces the old one.
Does PHP have a built in function for this? If not, how do I read the JPEG from the folder into the script?
Thanks.
you're not telling if you're using GD, so i assume this.
$img = imagecreatefromjpeg("myimage.jpg"); // load the image-to-be-saved
// 50 is quality; change from 0 (worst quality,smaller file) - 100 (best quality)
imagejpeg($img,"myimage_new.jpg",50);
unlink("myimage.jpg"); // remove the old image
I prefer using the IMagick extension for working with images. GD uses too much memory, especially for larger files. Here's a code snippet by Charles Hall in the PHP manual:
$img = new Imagick();
$img->readImage($src);
$img->setImageCompression(Imagick::COMPRESSION_JPEG);
$img->setImageCompressionQuality(90);
$img->stripImage();
$img->writeImage($dest);
$img->clean();
You will need to use the php gd library for that... Most servers have it installed by default. There are a lot of examples out there if you search for 'resize image php gd'.
For instance have a look at this page http://911-need-code-help.blogspot.nl/2008/10/resize-images-using-phpgd-library.html
The solution provided by vlzvl works well. However, using this solution, you can also overwrite an image by changing the order of the code.
$image = imagecreatefromjpeg("image.jpg");
unlink("image.jpg");
imagejpeg($image,"image.jpg",50);
This allows you to compress a pre-existing image and store it in the same location with the same filename.
I'm using GD to create jpegs from files that a user uploads.
What is the best way to validate that the image the user has uploaded is valid?
By valid I mean that the file is not a corrupt image that GD won't like, I do extension testing client side so they can only upload jpegs/gifs/pngs.
Thanks
You could use getimagesize. It will return FALSE if the image could not be loaded. It has support for most image types.
getImageSize would be your best choice but, be careful, if the file results are not valid you will get a warning. Using # before built in imagesize function will be ideal.
I am getting this Premature end of JPEG file error while resizing some of the images. Interesting and strange part is that i am getting this error only when i upload any camera taken images, like from mobile, other than those every thing works great. I thought this could be because of the chunk size used in plupload. So, i uploaded with larger sized image to somewhat like 3mb to test. Works fine with images other than camera taken images. So, whenever i upload camera pics i get this error.
Further elaborations on the error: php function imagecreatefromjpeg is throwing an error "imgname.jpg is not a valid JPEG file".
To resize images i am using Codeigniter's image Manipulation Class.
Based on what you have provided, I can only give you my deductions.
Camera images are usually very big. I suggest that you try to resize the camera images and see if it works.
What is your PHP version? There is a bug related to this: https://bugs.php.net/bug.php?id=29878
Please also check if your JPEG files are in RGB format. Somewhere in the manual mentioned that it could not properly load CMYK for certain versions of the GD library.
Are you open to using another class? I use this class to resize images and have not encountered any problems with it for years.
Resizing images is as easy as:
<?php
include('SimpleImage.php');
$image = new SimpleImage();
$image->load('picture.jpg');
$image->resizeToHeight(500);
$image->save('picture2.jpg');
$image->resizeToHeight(200);
$image->save('picture3.jpg');
?>
If all the suggestions did not work out, you can try using ImageMagick.
Also "Premature end of JPEG file" it's a general software error if image content is not complete. Software determines it by color of last pixel.
I've get 'Premature end of JPEG file' from tesseract(Open Source OCR Engine) because file was not copied properly through network.
did you found that sometimes it hang the php when imagecreatefromjpeg() run on bad JPEG. I found that this is cause by the JPEG file U used dont have EOI (end of image)
the FF D9 at the end of your JPEG
JPEG image should start with 0xFFD8 and end with 0xFFD9
// this may help to fix the error
function check_jpeg($f, $fix=false )
{
# check for jpeg file header and footer - also try to fix it
if ( false !== (#$fd = fopen($f, 'r+b' )) ){
if ( fread($fd,2)==chr(255).chr(216) ){
fseek ( $fd, -2, SEEK_END );
if ( fread($fd,2)==chr(255).chr(217) ){
fclose($fd);
return true;
}else{
if ( $fix && fwrite($fd,chr(255).chr(217)) ){return true;}
fclose($fd);
return false;
}
}else{fclose($fd); return false;}
}else{
return false;
}
}
You can set default value of gd.jpeg_ignore_warning=1 in php.ini
OR
You can set it like this ini_set('gd.jpeg_ignore_warning', true); in your PHP script before calling imagecreatefromjpeg()
After implementing any of the above, GD Library will ignore the error where it use to fail and imagecreatefromjpeg() will return an image resource identifier.
Note: In PHP 7.1.0 the default value of gd.jpeg_ignore_warning has been changed from 0 to 1.
Reference
I'm working on a project where I upload an image (jpg) and manipulate it using the PHP GD library.
I know that I can use GD functions to edit an image resource (created from imagecreatefromjpeg()) but I was wondering if there was a way I could use the file uploaded in the $_FILES array directly with the GD library. One solution I thought of was saving the uploaded file, pushing it into imagecreatefromjpeg, then deleting it afterwards.
This seems cluinky though, is there a more efficient solution?
I'm still a bit new to PHP so I'm not sure as to how files are stored in the $_FILES array. I hope I'm making sense here. Thanks.
You can simply do this:
$img = imagecreatefromjpeg($_FILES['image']['tmp_name']);
// do gd operations on $img
imagejpeg($img, '/path/to/target');
You'll have to use imagecreatefrom in some form or another, and you can use it directly on the uploaded file. Then just save the result of your manipulations using imagejpeg. The uploaded file in tmp_name will we thrown away automatically.
Having said that, you should save the original somewhere. It's always good to have it around for later use.
I'm implementing a user-based image uploading tool for my website. The system should allow any users to upload JPEG and PNG files only. I'm, of course, worried about security and so I'm wondering how the many smarter people than myself feel about the following checks for allowing uploads:
1) First white list the allowable file extensions in PHP to allow only PNG, png, jpg, JPG and JPEG. Retrieve the user's file's extension via a function such as:
return end(explode(".", $filename));
This should help disallow the user from uploading something malicious like .png.php. If this passes, move to step 2.
2) Run the php function getimageize() on the TMP file. Via something like:
getimagesize($_FILES['userfile']['tmp_name']);
If this does not return false, proceed.
3) Ensure a .htaccess file is placed within the uploads directory so that any files within this directory cannot parse PHP files:
php_admin_value engine Off
4) Rename the user's file to something pre-determined. I.E.
$filename = 'some_pre_determined_unique_value' . $the_file_extension;
This will also help prevent SQL injection as the filename will be the only user-determined variable in any queries used.
If I perform the above, how vulnerable for attack am I still? Before accepting a file I should hopefully have 1) only allowed jpgs and pngs, 2) Verified that PHP says it's a valid image, 3) disabled the directory the images are in from executing .php files and 4) renamed the users file to something unique.
Thanks,
Regarding file names, random names are definitely a good idea and take away a lot of headaches.
If you want to make totally sure the content is clean, consider using GD or ImageMagick to copy the incoming image 1:1 into a new, empty one.
That will slightly diminish image quality because content gets compressed twice, but it will remove any EXIF information present in the original image. Users are often not even aware how much info gets put into the Metadata section of JPG files! Camera info, position, times, software used... It's good policy for sites that host images to remove that info for the user.
Also, copying the image will probably get rid of most exploits that use faulty image data to cause overflows in the viewer software, and inject malicious code. Such manipulated images will probably simply turn out unreadable for GD.
Regarding your number 2), don't just check for FALSE. getimagesize will also return the mime type of the image. This is by far a more secure way to check proper image type than looking at the mime type the client supplies:
$info = getimagesize($_FILES['userfile']['tmp_name']);
if ($info === FALSE) {
die("Couldn't read image");
}
if (($info[2] !== IMAGETYPE_PNG) && ($info[2] !== IMAGETYPE_JPEG)) {
die("Not a JPEG or PNG");
}
All the checks seem good, number 3 in particular. If performance is not an issue, or you are doing this in the background, you could try accessing the image using GD and seeing if it is indeed an image and not just a bunch of crap that someone is trying to fill your server with.
Concerning No. 2, I read on php.net (documentation of the function getimagesize() ):
Do not use getimagesize() to check that a given file is a valid image. Use a purpose-built solution such as the Fileinfo extension instead.