0
I have a script simple of upload of files by PHP.
This upload moves the files, which should be images, to a folder.
I can only accept images jpg
, png e
gif`.
I just realized that there are images that they made upload with exploits, because it is not a valid image.
I am trying to make the files for upload more secure validations. If it does not pass validation, it should return an error.
I tried to use the [type]
image/jpg
, image/gif
, image/png
but still managed to do the upload
I also tried to use the
getimagesize($_FILES["imagem"]["tmp_name"])
but somehow they got around to it too.
Someone could help me ?
Follows my code of upload:
$foto_name=$_FILES["foto"]["name"];
$foto=$_FILES["foto"]["tmp_name"];
if (preg_match("/(.)+(jpg|JPG|jpeg|JPEG|gif|GIF|png|PNG)/",$foto_name)){
$pieces = explode(".", $foto_name);
$ext=$pieces[1];
$tempo=date('YMDHMShms');
$fot="$foto_name"."$tempo";
$fot2=md5($fot);
$fot3= $_SESSION['logadu']['slug']."-$fot2".".$ext";
@move_uploaded_file("$foto" , "img/$fot3")
or exit("<script>window.top.erroimg();</script>");
img("img/$fot3","640","480");
echo "<script>window.top.adicionouimg();</script>";
} else {
echo "<script>alert('Somente imagens .jpg .gif ou .png');</script>";
}
Put your code so we can analyze.
– Luiz Augusto Neto
Your code is checking the extension. Where is the portion that checks the mime?
– Wallace Maxters
Remembering that even with the extension
.txt
it is possible to have the mimeimage/png
. mime takes into account the content, not the extension. Because I may have ajpg
empty, and he would have the invalid mime.– Wallace Maxters
my mine I took because I didn’t know if it was working as they managed to bypass the original Cod
– Jasar Orion