Comments on: Securing Uploaded Image Files http://www.charles-reace.com/blog/2008/08/05/securing-uploaded-image-files/ Charles Reace's blog about PHP, MySQL, and life in general Mon, 22 Aug 2011 17:18:05 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: cwreace http://www.charles-reace.com/blog/2008/08/05/securing-uploaded-image-files/comment-page-1/#comment-13 cwreace Wed, 20 Aug 2008 05:34:42 +0000 http://www.charles-reace.com/blog/?p=48#comment-13 Good point, Hayley. I guess that needs to factor into one's decision whether or not to do such "sanitizing". Good point, Hayley. I guess that needs to factor into one’s decision whether or not to do such “sanitizing”.

]]> By: Hayley Watson http://www.charles-reace.com/blog/2008/08/05/securing-uploaded-image-files/comment-page-1/#comment-12 Hayley Watson Tue, 19 Aug 2008 10:45:19 +0000 http://www.charles-reace.com/blog/?p=48#comment-12 That would strip out all other embedded metadata too: JPEG EXIF data, PNG tEXt blocks. That would strip out all other embedded metadata too: JPEG EXIF data, PNG tEXt blocks.

]]> By: cwreace http://www.charles-reace.com/blog/2008/08/05/securing-uploaded-image-files/comment-page-1/#comment-11 cwreace Thu, 07 Aug 2008 01:21:45 +0000 http://www.charles-reace.com/blog/?p=48#comment-11 Hi, Znupi. Thanks for posting your function. I'll have to take a closer look at it when I get a chance. Ultimately, I'd probably want to combine it with something akin to what I did to further limit the allowed image types, as I may not ultimately want to allow all types that my GD installation supports; but it's definitely a good idea to ensure that GD supports any image type that I want to allow. :) Hi, Znupi. Thanks for posting your function. I’ll have to take a closer look at it when I get a chance. Ultimately, I’d probably want to combine it with something akin to what I did to further limit the allowed image types, as I may not ultimately want to allow all types that my GD installation supports; but it’s definitely a good idea to ensure that GD supports any image type that I want to allow. :)

]]> By: Znupi http://www.charles-reace.com/blog/2008/08/05/securing-uploaded-image-files/comment-page-1/#comment-10 Znupi Tue, 05 Aug 2008 19:20:54 +0000 http://www.charles-reace.com/blog/?p=48#comment-10 Interesting, but I have one thing to say: you shouldn't just test if the image is a gif, a png or a jpg. You should test if the GD library can actually open it. Here's a little function I use in order to open images only if they are compatible with the GD version on the server: <code> function loadImage($path) { if (!file_exists($path)) return false; list(,,$imageType) = getImageSize($path); if (!(imagetypes() & $imageType)) return false; return imageCreateFromString(file_get_contents($path)); } </code> Oh, and why do you use list($unused, $type) when you can simply use list( , $type) ? Interesting, but I have one thing to say: you shouldn’t just test if the image is a gif, a png or a jpg. You should test if the GD library can actually open it. Here’s a little function I use in order to open images only if they are compatible with the GD version on the server:

function loadImage($path) {
if (!file_exists($path)) return false;
list(,,$imageType) = getImageSize($path);
if (!(imagetypes() & $imageType)) return false;
return imageCreateFromString(file_get_contents($path));
}

Oh, and why do you use list($unused, $type) when you can simply use list( , $type) ?

]]>