www.webdeveloper.com
Page 17 of 23 FirstFirst ... 71516171819 ... LastLast
Results 241 to 255 of 340

Thread: How to: Upload images using PHP

  1. #241
    Join Date
    Apr 2007
    Posts
    1,664
    By first saving it as a image normally in something like the gimp. Then just renaming the extension in a file browser.

  2. #242
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,742
    Have you actually tried this? I don't really follow what you're saying because a Jpeg comment is not stored as ASCII text.

    Edit: OK, I can see it now:
    Code:
     JFIF  H H   <?php echo 'SyCo' ?> C
    Last edited by bokeh; 12-07-2008 at 10:06 AM.

  3. #243
    Join Date
    Dec 2008
    Posts
    1
    I know this is a newb question but what do I need to other than put the script in my xampp htdoc file.

    I get this error:
    File not found

    Firefox can't find the file at /C:/xampp/htdocs/<?php echo $uploadHandler ?>.


    * Check the file name for capitalization or other typing errors.

    * Check to see if the file was moved, renamed or deleted.


    Thanks in advance! sorry I know it is a dumb question

  4. #244
    Join Date
    May 2009
    Posts
    3
    I would like to know how to set the width and height validation to this upload file script.

    maximum width 800px and maximum height 100px
    minimum width 400px and minimum height 50px

    Anxiously waiting for a response.

  5. #245
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,742
    Quote Originally Posted by overhere View Post
    I would like to know how to set the width and height validation to this upload file script.

    maximum width 800px and maximum height 100px
    minimum width 400px and minimum height 50px

    Anxiously waiting for a response.
    Do it here:
    PHP Code:
    @getimagesize($_FILES[$fieldname]['tmp_name'])
        or 
    error('only image uploads are allowed'$uploadForm); 
    Check the return value from getimagesize. Something like this (not tested):
    PHP Code:
    $size = @getimagesize($_FILES[$fieldname]['tmp_name'])
        or 
    error('only image uploads are allowed'$uploadForm);

    $max_width 100;
    $max_height 100;

    if(
    $size[0] > $max_width)
    {
        
    error('image exceeded max allowed width: '.$max_width.' pixels'$uploadForm);
    }

    if(
    $size[1] > $max_height)
    {
        
    error('image exceeded max allowed height: '.$max_height.' pixels'$uploadForm);


  6. #246
    Join Date
    May 2009
    Posts
    3
    Thank you bokeh,

    It works! Your upload script is fantastic, the best on the internet. That's my opinion.

  7. #247
    Join Date
    Apr 2007
    Posts
    1,664
    Personally I'm amazed it's never been edited to fix the glaring vulnerability, or at least removed from the sticky. If I'm wrong please say so but if the file check is only getimagesize() you can upload PHP script. This upload script will allow anyone total access to your server.

    You need to replace the replace the getimagesize() check with a file extension check. You should be uploading to a non web browseable folder too.

  8. #248
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,742
    Quote Originally Posted by SyCo View Post
    Personally I'm amazed it's never been edited to fix the glaring vulnerability, or at least removed from the sticky. If I'm wrong please say so but if the file check is only getimagesize() you can upload PHP script. This upload script will allow anyone total access to your server.

    You need to replace the replace the getimagesize() check with a file extension check. You should be uploading to a non web browseable folder too.
    Instead of criticising why not write an addendum to the code and attach it here, after all isn't that what open source is all about?

    The original purpose of the post was to stop the fifty posts a week asking how to upload images. If the sticky were removed you'd be back to that again.

    Anyway if you go back through you will see your point has already been discussed. The only way to know an image is an image is open it with an image program like GD. Even this is flawed though as PHP code could be lurking in a Jpeg comment. Storing uploaded files outside web root is great for security but how is anyone going to view the files? Why not unplug the server altogether then you can be absolutely sure it's secure. And by the way, checking a file extension does not ensure the file does not contain malicious code, nor how any particular server might handle that file type.

  9. #249
    Join Date
    Apr 2007
    Posts
    1,664
    I'm not criticizing or attacking you personally, I'm simply pointing out this script has a major security vulnerability and people should stop using it until it's updated.

    why not write an addendum to the code and attach it here
    Because this is page 17 of an ever growing thread. No one is going to plough through all these pages to read a comment I add at this point? It needs a mod to remove the sticky and a new upload script added or the original post needs to be edited with a note of the changes.

    I commented on this ages ago. I notified the mods about the forum promoting a vulnerable script and still it is a sticky. I'm still thinking that is not right. People are using this and, because it's a sticky, this website is promoting it but it allows total raping of a server up to the extent of the user's privileges. I'm sure you'll agree that's not good. When someone asks for help with this script you really ought to point that fact out.

    The upload script is your thing and I think it's great you took the time to write it to help people. Kudos to you for that. You're continuing to support it too which is cool but dude you have to admit, it has got to be re done. Perhaps if you contact the mods they can remove the sticky, add a note to this thread and close it so people using this as a reference can see the need to make a change to their code. Adding a sticky to your amended new code? It's not a huge thing to fix but I can't edit your post and I don't think even you can now. I've contacted the mods and got nothing back so I guess it's up to you?
    Last edited by SyCo; 05-07-2009 at 11:22 AM.

  10. #250
    Join Date
    May 2009
    Posts
    3
    No one is going to plough through all these pages to read a comment I add at this point?
    I will!

    If the sticky can't be removed, perhaps you should write an addendum to this upload script and the problem will be solved.

  11. #251
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,742
    Quote Originally Posted by SyCo View Post
    I'm not criticizing or attacking you personally, I'm simply pointing out this script has a major security vulnerability and people should stop using it until it's updated.
    Not really major; how many hackers try hiding php code in Jpeg comments. Also how many hackers are going to bother trying to wreck a low risk server. Anyway as you know the problem with this site is it is impossible to edit posts that are more than about half an hour old so I can't edit it, which is why I suggested writing an addendum.

  12. #252
    Join Date
    Apr 2007
    Posts
    1,664
    Perhaps if you contact the mods they may take some action what with it being your post?

    This thread ranks very high in google for a search for image upload script PHP currently #8. I think a lot of people are using this script. We can't assume it's only on low risk servers. And this wasn't well known when the script was written so not often exploited, now who know how many people are using this. They may simply be inserting code to send spam eating up users bandwidth.


    For those good coder who do read all the comments...

    replace
    PHP Code:
    // make a note of the current working directory relative to root.
    $directory_self str_replace(basename($_SERVER['PHP_SELF']), ''$_SERVER['PHP_SELF']); 
    with a a hard coded path to a non web browseable folder (outside the webroot or blocked by the server). Store the image information in a SQL table on upload and use a script that read the image info bag into <img >tags.

    Replace the getimagesize() check with something like

    PHP Code:
    //eg
    //$_FILES[$fieldname]['name']='file.jpg';
    //$_FILES[$fieldname]['name']='file.jpg.php';

    $whitelist=array('gif','jpg','png');
    foreach(
    $whitelist as $ext){
        if(
    preg_match('/\.'.$ext.'$/i',$_FILES[$fieldname]['name']))$accept=1;
    }
    if(isset(
    $accept)){
        
    //accept
    }else{
        
    //reject

    I think the chances of anyone actually breaking in to my house low yet I still lock the door when I leave.

  13. #253
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,742
    Quote Originally Posted by SyCo View Post
    PHP Code:
    $whitelist=array('gif','jpg','png');
    foreach(
    $whitelist as $ext){
        if(
    preg_match('/\.'.$ext.'$/i',$_FILES[$fieldname]['name']))$accept=1;
    }
    if(isset(
    $accept)){
        
    //accept
    }else{
        
    //reject

    To make that fit in with the rest of the code you could do this:
    PHP Code:
    $whitelist=array('gif','jpg','png');

    preg_match('/\.('.implode('|',$whitelist).')$/i',$_FILES[$fieldname]['name'])
        or 
    error('only image uploads are allowed'$uploadForm); 
    Quote Originally Posted by SyCo View Post
    I think the chances of anyone actually breaking in to my house low yet I still lock the door when I leave.
    I've been in this house for eight years and have never locked the door. Then the other day, while my door was wide open the next door neighbour's locked house was broken into and the thief stole a pair of shoes.

  14. #254
    Join Date
    Apr 2007
    Posts
    1,664
    Sound like you got lucky, close one!

  15. #255
    Join Date
    Sep 2005
    Posts
    1,635
    If Bokeh posted his idea and people post replies, I think there is no issue with this.

    There is problem if there is wish to rank better because of post. I do not know about this.

    Anyway Bokeh, congratulations from my point. Syco made nice suggestion also. Nice to make the summary of all changes and make version number with logs.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles