Upload validated files by php

Question

Upload validated files by php

Asked 8 years ago

Viewed 977 times

0

I have a script simple of upload of files by PHP.

This upload moves the files, which should be images, to a folder.

I can only accept images jpg, png egif`.

I just realized that there are images that they made upload with exploits, because it is not a valid image.

I am trying to make the files for upload more secure validations. If it does not pass validation, it should return an error.

I tried to use the [type] image/jpg, image/gif, image/png but still managed to do the upload

I also tried to use the

getimagesize($_FILES["imagem"]["tmp_name"])

but somehow they got around to it too.

Someone could help me ?

Follows my code of upload:

$foto_name=$_FILES["foto"]["name"];
$foto=$_FILES["foto"]["tmp_name"];                
if (preg_match("/(.)+(jpg|JPG|jpeg|JPEG|gif|GIF|png|PNG)/",$foto_name)){                    
  $pieces = explode(".", $foto_name);
  $ext=$pieces[1];
  $tempo=date('YMDHMShms');
  $fot="$foto_name"."$tempo";
  $fot2=md5($fot);
  $fot3= $_SESSION['logadu']['slug']."-$fot2".".$ext";
  @move_uploaded_file("$foto" , "img/$fot3") 
  or exit("<script>window.top.erroimg();</script>");
  img("img/$fot3","640","480");      

  echo "<script>window.top.adicionouimg();</script>";
} else {
  echo "<script>alert('Somente imagens .jpg .gif ou .png');</script>";
}

Put your code so we can analyze.

– Luiz Augusto Neto

2017/01/20 at 14:46
Your code is checking the extension. Where is the portion that checks the mime?

– Wallace Maxters

2017/01/20 at 15:09
1

Remembering that even with the extension .txt it is possible to have the mime image/png. mime takes into account the content, not the extension. Because I may have a jpg empty, and he would have the invalid mime.

– Wallace Maxters

2017/01/20 at 15:10
my mine I took because I didn’t know if it was working as they managed to bypass the original Cod

– Jasar Orion

2017/01/20 at 15:15

1 answer

Browser other questions tagged php security-guard validation

You are not signed in. Login or sign up in order to post.

by f1re • 26 points · Answer 1 · 2017-01-20T15:38:19+00:00

First I believe that you should create a class to manage the Upload of any file on the system, then you create a function within the class to take care of images. Within my class what allows to insert only PNG and JPG is this (I adapted to your code):

$Upload = false;
switch ($_FILES["foto"]["type"]) {

    case "image/jpg";
    case "image/jpeg";
    case "image/pjpeg";
        $Upload = true;
        break;
    case "image/png";
    case "image/x-png";
        $Upload = true;
        break;
};

if ($Upload) {
    $pieces = explode(".", $foto_name);
    $ext = $pieces[1];
    $tempo = date('YMDHMShms');
    $fot = "$foto_name" . "$tempo";
    $fot2 = md5($fot);
    $fot3 = $_SESSION['logadu']['slug'] . "-$fot2" . ".$ext";
    @move_uploaded_file("$foto", "img/$fot3")
            or exit("<script>window.top.erroimg();</script>");
    img("img/$fot3", "640", "480");

    echo "<script>window.top.adicionouimg();</script>";
} else {
    echo "<script>alert('Somente imagens .jpg .gif ou .png');</script>";
}

If you want to add other types take a look here https://secure.php.net/manual/en/function.image-type-to-mime-type.php. I prefer to use switch because I see better which types I’m allowing, making it easier to maintain, but you can use an array instead, then validate with in_array();