Secure Image Uploading in PHP and Theory Behind It

After seeing so many questions on how we can do secure uploading of images on the server, i am gonna post a theory of how to do this effectively.

Very first method which is basic uploading:

We just browse an image from our local machine and upload them as following. This method is called a naive method.

if (!empty($_FILES['yourFileName']['name']))

// To upload the Image.
$name = $_FILES['yourFileName']['name'];
$type = $_FILES['yourFileName']['type'];
$size = $_FILES['yourFileName']['size'];
$source = $_FILES['yourFileName']['tmp_name'];
$destination = "images/".$name;
move_uploaded_file($source, $destination);

This uploading is done through a normal html form tag

<form action="" enctype=""multipart/form-data" method="post"><input type="file" name="yourFileName" /> <input type="submit" value="Upload" /></form>

Unfortunately this has several flaws- 1 – It can easily be guessed that where are to putting your files and so anybody can upload any PHP script or any executable file and get your server down. 2 – For an example somebody can upload a file which enables shell commands on your machine as following and can do anything with your server. So this way is never suggested. A simple solution at the first site seems to check for the file type being uploaded. so putting a simple script

if($_FILES['yourFileName']['type'] != 'image/jpg')

Can make your script secure a bit but unfortunately it also has some flaws. This php method check content type of the image you are uploading and can be broken by a simple perl script by making header content-type to image/jpg.

Now moving one step ahead let’s check the file type, rather checking content type. There is a function in php getimagesize() which returns a list with image attribute as;

list($width, $height, $type, $attr) = getimagesize('yourUploadedImage');

by this way we can check for the file type and test whether it’s an image. Now one can ask, are we secure? The unfortunate answer is NO. Even after verifying file type, we are not done? YES still there is a flaw in this…

A hacker can easily use steganography and embed a php code into the image and can break your system(Here my motive is not to teach hacking or steganography. I just to help others protect their system). Then? After this we have a one more thing to do with the code and that is putting your image folder out of your server directory (on Linux /var/www directory) or make your uploaded image folder not executable so that even if the hacker uploads image he shouldn’t be able to run that.

So now are you secure? Ummm… NO but after this stage you are highly secure from attacks. In this post i have tried to cover all the theory behind image uploading with little coding in php. Syntax in other languages are not very different but if you will ask i can provide you links/codes in other languages.

Content Source:

Leave Comments

Your email address will not be published.