Secure image uploader with a few functions

prc

I'm trying to construct an Image up-loader, and looked at a few scripts all which are far from what I need. Now I'm trying to get an up-loader that will eventually do this:

Check maximum file size (say 20kb)
Check file types, and only allow gif, jpg
Re size the image to (150 x 150). (if possible compress image were needed.)
And add a 2px black border to the image. (Not really needed now, maybe something to add on)
Have it secure? (don't know what I need to do here?)
Then rename the image then upload it to a directory

How would I go about doing this? Ive looked at some php sites, unsuccessfully, so what I really need is a script that is simple and secure that I can learn of off. So I thought u might be able to help me here 🙂

Any Help would be appreciated, thanx.[/COLOR]

Cent

Hi,

What you're looking for is pretty simple to construct.

To determine the file size and possibly reject (reports file size in bytes):

filesize($filename)

To check file types (you can use a switch statement for multiple file types):

mime_content_type('php.gif')

There's a few PHP classes to resize images on the fly (in this case when its uploaded). Check PHPClasses

As for the 2px black border, is this for presentation purposes? If so, its best to do this with CSS style applied to the image. This way you can change it later if necessary and it doesn't add additional bytes to the images.

Have it secure? You could create a basic user authentication using sessions or cookies (sessions are better). Not sure how your handling this though.

Before or after completing the above, just use:

bool move_uploaded_file ( string filename, string destination )

to move the file and rename it at the same time. Though you will need to indicate the path and new file name in the destination. I typically use something like:

$new_filename = uniqid("img-");

this creates a new filename with the prefix "img-" (or whatever you want).

uniqid() returns a prefixed unique identifier based on the current time in microseconds. prefix is optional but can be useful, for instance, if you generate identifiers simultaneously on several hosts that might happen to generate the identifier at the same microsecond. Up until PHP 4.3.1, prefix could only be a maximum of 114 characters long.

It's so much easier to perhaps write your own routine, then to rework someone else's logic. Because by the time you're done, you know what it should do and can extend it as you see fit.

Best,
Cent

prc

Cent wrote:
There's a few PHP classes to resize images on the fly

Is this prior to uploading?
eg. can a script check the size of an image before it is uploaded? (save on sever load)

And thanks, some real useful info. there 🙂

ashwin

you can use this class to upload files..

<?php
/************
class name: upload
description: upload an image file to the destination directory
purpose: to upload an image file to the destination directory and manipulate the image file
author name: ashwin morey
created on: 17/11/2005
modified by:
modified on:
methods used:upload(constructor)
********/
class upload{
//to store name of the file
var $fileName;
//to store path of the temporary location of the uploaded file
var $tempFileLoc;
//to store size of the file
var $fileSize;
//to store type of the file
var $fileType;
//to store directory name of the file
var $fileDir;
//to store actual destination of the file
var $destination;
//to store actual result
var $move;
//to store error messages
var $message;
//to store error number
var $errNo = 0;
//to store width of the original image
var $orImageWidth;
//to store height of the original image
var $orImageHeight;
//to store width of the new image
var $newImageWidth;
//to store height of the new image
var $newImageHeight;
//to store an array returned by getimagesize function
var $thumb;
//to store source of the image file
var $imageSource;
//to store destination of the image file
var $imageDestination;
/**********************
function name: upload(constructor)
description: constructor
purpose: to set values for the variables $fileName, $destDir
arguments: $fileName, $destDir
returns: nothing
*****************************/
function upload($fileName, $tempFileLoc, $fileSize, $fileDir){
$this->fileName = $fileName;
$this->tempFileLoc = $tempFileLoc;
$this->fileSize = $fileSize;
$this->fileDir = $fileDir;
$this->destination = $this->fileDir."/".$this->fileName;
}
/*****************
function name: fileUp()
description: check whether file is uploaded
purpose:to check whether file is uploaded or not to the temporary location
arguments: nothing
returns: nothing
******************/
function fileUp(){
if(!is_uploaded_file($this->tempFileLoc)){
$this->errNo = 1;
return $this->errorHandler($this->errNo);
}
else{
$this->dirExists();
}
}
/*****************
function name: dirExists()
description: check whether destination directory exists
purpose:to check whether destination directory exists
arguments: nothing
returns: nothing
******************/
function dirExists(){
if(!file_exists($this->fileDir)){
$this->errNo = 2;
return $this->errorHandler($this->errNo);
}
else{
if(!is_dir($this->fileDir)){
$this->errNo = 3;
return $this->errorHandler($this->errNo);
}
else{
$this->fileAlreadyExists();
}
}
}
/*****************
function name: fileAlreadyExists()
description: check whether file is already there
purpose:to check whether file is already there
arguments: nothing
returns: nothing
******************/
function fileAlreadyExists(){
if(file_exists($this->destination)){
$this->errNo = 4;
return $this->errorHandler($this->errNo);
}
else{
$this->moveFile();
}
}
/*****************
function name: moveFile()
description: move uploaded file to the destination
purpose:to move uploaded file to the destination
arguments: nothing
returns: nothing
********************/
function moveFile(){
$this->move = move_uploaded_file($this->tempFileLoc,$this->destination);
if($this->move == false){
$this->errNo = 5;
return $this->errorHandler($this->errNo);
}
else{
$this->errNo = 6;
return $this->errorHandler($this->errNo);
}
}
function getWidth(){
$this->size = getimagesize($this->destination);
$this->orImageWidth = $this->size[0];
return $this->orImageWidth;
}
function getHeight(){
$this->size = getimagesize($this->destination);
$this->orImageHeight = $this->size[1];
return $this->orImageHeight;
}
function GetType(){
$this->size = GetImageSize($this->source);
switch ( $this->size[2] ){
case 1:
return 'gif';
break;
case 2:
return 'jpg';
break;
case 3:
return 'png';
break;
}
}
function calcWidth(){
$this->newImageWidth = $this->orImageWidth 0.5;
return $this->newImageWidth;
}
function calcHeight(){
$this->newImageHeight = $this->orImageHeight 0.5;
return $this->newImageHeight;
}
function imageToThumb(){
switch ($this->GetType()){
case 'gif':
$this->imageSource = ImageCreateFromGIF ( $this->destination );
break;
case 'jpg':
$this->imageSource = ImageCreateFromJPEG ( $this->destination );
break;
case 'png':
$this->imageSource = ImageCreateFromPNG ( $this->destination );
break;
}
$this->imageDestination = ImageCreateTrueColor ( $this->calcWidth(), $this->calcHeight() );
ImageCopyResized( $this->imageSource, $this->imageDestination, 0, 0, 0, 0, $this->calcWidth(), $this->calcHeight(), $this->getWidth(), $this->getHeight() );
return $imageDestination;
}
function imageToThumb(){
$this->size = getimagesize($this->destination);
$this->orImageWidth = $this->size[0];
$this->orImageHeight = $this->size[1];
$this->fileType = $this->size[2];
echo $this->fileType;
//set new width and height for the images here
$this->newImageWidth = $this->orImageWidth 0.5;
$this->newImageHeight = $this->orImageHeight * 0.5;

}
/********************
function name: errorHandler()
description: generate errors
purpose: to generate errors and display them
arguments: takes error number as an input
returns: error Message
*********************/
function errorHandler($errNo){
if($errNo == 1){
$message = "No file uploaded to the temporary location.";
echo $message;
}
else if($errNo == 2){
$message = "Destination directory does not exist.";
echo $message;
}
else if($errNo == 3){
$message = "Destination is not a directory.";
echo $message;
}
else if($errNo == 4){
$message = "The file u are trying to upload already exists.";
echo $message;
}
else if($errNo == 5){
$message = "Something went wrong";
echo $message;
}
else if($errNo == 6){
$message = "File uploaded successfully to the desired location.";
echo $message;
}
return $message;
}
}
?>

prc

Its a bit unclear without the adding form

bradgrafelman

Whoa there, ashwin... you might want to edit your post and add [ PHP ] [ /PHP ] tags... and use those in the future too! o_O

As to doing things before upload... that's nothing PHP can take care of.

ashwin

hope this is easy for u..

<?php
if(!is_array($HTTP_POST_FILES)){
echo "no file uploaded";
}
else{
$destDir = "images";
$destination = $destDir."/".$HTTP_POST_FILES['file1']['name'];
if(!is_uploaded_file($HTTP_POST_FILES['file1']['tmp_name'])){
echo "not uploaded to the system";
}
else{
if(!file_exists($destDir)){
echo "destination directory does not exist";
}
else{
if(!is_dir($destDir)){
echo "this is not a directory";
}
else{
if(file_exists($destination)){
echo "file already exists";
}
else{
$move = move_uploaded_file($HTTP_POST_FILES['file1']['tmp_name'],$destination);
if($move == false){
$message = "some error";
}
else{
$message = "successfully uploaded";
}
}
}
}
}
}
?>

prc

Kool thanks. How would I go about renaming the image and if it turns out having the same name.. overwrite it! And how would I cheak if the file is a gif/jpg ? Is it secure?

Is it still possible to fake all these criteria and upload something dangerous?

bradgrafelman

As to the first question, I would probably check if the file exists before renaming it using [man]file_exists/man. If it does, then first [man]unlink/man the old file, and then use [man]rename/man to take the new name. If it doesn't exist, simply [man]rename/man it.

As to the second question... if your system supports it, you can use [man]mime_content_type/man to get the type. If not, try using [man]getimagesize/man and using the 'mime' index of the array returned.

EDIT: In response to your last question:

If accessing the filename image is impossible, or if it isn't a valid picture, getimagesize() will return FALSE

So, if you're using that function and it returns FALSE, I would get rid of the file and label it invalid.

prc

An example would be even more helpfull!?!

bradgrafelman

Actually, if this is through a file upload, you can simply use [man]move_uploaded_file/man. The manual is pretty self-explanatory about how to use it.

prc

Im having problems taking the original image then resizing it to the new size then saving it. Has anyone got a script or know of a script that can do this?

bradgrafelman

What function are you using? [man]imagecopyresampled/man is what you're after. There's some examples in the manual of how to use it.

prc

sorry, still confused

prc

Its all good. I finally put one together! Now what I'm wondering is what safety precautions should I put in to protect my site?