I am making a PHP image uploader using the Zend Framework which will upload images to a public directory for people to be able to freely access.
I have so far implemented these measures for security:
- File size validation
- Extension validation
- MimeType validation
- Upon successful validation file is renamed with a image extension in a public folder, i.e. /images/uploads/...
Is this enough security? Can't run it through some antivirus script can you (is this required)?
The file extension and the mime type can be easily faked. Use getimagesize() to see if it really is an image.
you shouldnt be saving your uploads in the public folder at all!
you should save them in a private directory, and use a view helper to load the images for you
Related
I'm lapiz new to codeigniter and some functions in php
I'm here to ask again something that's bothering me in uploading files
I tried searching for do_upload vs move_uploaded_file but I didn't get a good response or clear explanation.
What's the difference between "do_upload" from "move_uploaded_file" when it comes in uploading files using php?
I've been using move_uploaded_file mostly since I'm used in programming native PHP, but I saw in a tuts(tutorial)of codeigniter the term "do_upload" this is new to my eyes and ears so maybe someone can explain it briefly?
Actually move_uploaded_file is a core PHP function that helps you to upload files.
And there is Codeigniter's file upload library's method do_upload which also helps you to upload files.
When you are using Codeigniter and you want more than just uploading the file (like you want the file type restrictions, size restriction, maintain uploaded file renaming etc.) with ease then Codigniter's do_upload method (i mean Upload library) will be more handy.
You can see the documentation to know more about Codeigniter's upload library.
https://www.codeigniter.com/user_guide/libraries/file_uploading.html#the-controller
I want to upload file in laravel, I am using only local server and but not any cloud storage.
From doc,I found two methods related with file upload,
Normal method (Request::file('file')->move(dest,filename))
Using File system
But I could not understand actual difference between these methods?
If I am using normal method,
$file->move('path', $fileName);
Here where should be path located,storage/app or public/uploads(new)?
How can I upload files using File System ?
The "normal" method allows you to save the uploaded file only in the local filesystem in any place you choose, as long as PHP has write access to that location. This method can only be used for "save" operation and only for uploaded files.
The "filesystem" method is more flexible as it adds a layer of abstraction over the place you write to. Filesystem configuration is stored in a separate config and is transparent to your code. You can easily change the underlying storage (e.g. from local to cloud) or change paths without any changes to the code. The filesystem also gives you a lot of additional helper methods to operate on files it store, like list all files, checking existence, removing. Additional advantage is that it can be used to any files, not only the ones uploaded by the user during current request.
Answering your second question: you decide where to store files in both normal and filesystem method. In the normal method you pass the path, in filesystem you configure the paths using filesystems.php config.
And how to upload the file using File systems? You don't use the filesystem to upload the file, you use it to save the uploaded file. The upload process is the same, but instead of calling $uploadedFile->move() you do:
Storage::put('file key', file_get_contents(Request::file('file')->getRealPath()));
the difference between these two methods is about usage.
You use the "File System" service to work on your local/cloud file system, like creating, moving or deleting file. You could use the Storage::put() method to store the uploaded file, of course, but you would have to get the file from the request either way. So you normally just use the $request->file('photo')->move($destinationPath); method as specified in http://laravel.com/docs/5.1/requests#files to move the file where you want it to be. The File system service is not meant to handle uploads itself. That is what the Request is for.
The question about where you put the files is one you have to answer yourself. The default path for storing files is storage/app. You can put them to public/uploads but it is discouraged as anyone knowing the URL can download the files. It really depends on what the file is meant to. If it is a say profile picture then it can be put in public/uploads. Is the file private then is should not be put there but instead in storage/app.
I have created a login form with captcha image. It works well on my windows operating system. When I uploaded it to the server captcha image is not displayed. CI creates the image but cannot write it into captcha directory (CHMOD = 755) bacuse of permission settings. When I set CHMOD value of the directory to 777 (which I should not) it works well.
Here there is a question similar to mine but proposed and accepted answer is not secure, I guess.
How can I say CI to write the file that it created into the directory using ftp credentials on the fly or is there another way?
I am afraid of encountering further problems like file upload operations (like profile picture change, attachments to the announcements) by the users.
I got around the permission problem by not writing a file at all.
I modified the library in system/plugins/captcha_pi.php to return the image data for inline inclusion. The other return values are the same (timestamp and captcha phrase).
So instead of writing to a file, it returns the inline image content instead.
I'm trying to set up a file upload for my website but I'm not sure what I'd need to get this to work overall. I'm trying to use Jquery File Upload but I can't seem to get the files to upload to my server. It looks like I might need something else to get it to run but I'm not sure what. Any suggestions?
There are three "sides" to a file upload.
First is client-side: You need to have a form that can upload files (so you need to set the enctype attribute of your form element, and set your action to post).
Second is server-side: You need something that can handle the file upload. Assuming you're using a server with PHP, you can access the file via $_FILES['filename']. Google has a vast array of example for handling file uploads.
Third is server-side (again) - your server must allow file uploads. Not only must it allow file uploads, but it restricts the size of the file that can be uploaded (php config).
However, it looks like jquery file upload has a PHP file handler.
I will sugest you use dreamweaver its easy to use expecially to upload files to the web n you can also see the steps needed in its help content. or you may download an ftp uploader
I want to implement validation on image files (.jpg, .png, .gif) in such a way that if a user changes the extension of html into jpeg then the system will restrict him that this file is in an invalid format. I have implement the validation on file extension, but I want to implement this validation as well.
And I am uploading video (.wav, .flv, .mp4) and audio (.mp3) files as well, and if someone upload file with wrong extension, the system will restrict him. How I can do this?
tried finfo_file - required pecl fileinfo, php 5.3 and above,
this function will return a REAL mime type of an uploaded file,
based on this info, you can do comparison and blocking any unwanted extension (mime)