Jump to content

Is this safe?


Goat

Recommended Posts

I was wondering is there is any vulnerabilities in this code:

<?php
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = 1;
    } else {
        echo "File is not an image.";
        $uploadOk = 0;
    }
}
// Check if file already exists
if (file_exists($target_file)) {
    echo "Sorry, file already exists.";
    $uploadOk = 0;
}
// Check file size
if ($_FILES["fileToUpload"]["size"] > 500000) {
    echo "Sorry, your file is too large.";
    $uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
    $uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded.";
    } else {
        echo "Sorry, there was an error uploading your file.";
    }
}
?> 

cause I know attackers can put a virus in images and I don't want any viruses on my website.

 

Also I wanted to know one more thing. How could I make it so that users can only upload a certain size of image like 50x50?

 

The code used in this thread came from this page: https://www.w3schools.com/php/php_file_upload.asp

Link to comment
Share on other sites

The getimagesize() function right in your code will tell you the size of the uploaded image.

 

Hackers can put anything they want in an image, but since the image is not an executable file it won't do anything. Make sure that the uploaded file name has a known file extension. As long as the extension is of an image type, programs will not execute the file.

Link to comment
Share on other sites

Hackers can put anything they want in an image, but since the image is not an executable file it won't do anything.

Assuming that they aren't trying to exploit some buffer overflow or something in the browser's image library. I remember an IE PNG buffer overflow from years ago, but yeah beyond things like that the browser shouldn't allow anything to execute when it's just displaying an image.

 

cause I know attackers can put a virus in images and I don't want any viruses on my website.

If you want to protect from viruses then figure out if there's a command-line virus scanner installed on your server that you can execute through PHP to scan the uploaded file.

 

Other than that, I'm not a big fan of the file upload example on the w3schools site because it doesn't use the error codes supplied by PHP. There's a whole list of them:

 

http://php.net/manual/en/features.file-upload.errors.php

 

That would be in $_FILES["fileToUpload"]["error"], but they never use that. It will take any one of those values listed on that page to tell you what the issue is. If the value is UPLOAD_ERR_OK then there is no error and you can process the file with the code above, or else PHP is trying to tell you there was a problem with the upload.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...