sneakyimp;10944781 wrote:Interesting link, djjjozsi.
Any thoughts on how to screen for PHP code in an image comment?
The article mentions that an "upload" directory should not be inside the web root. This prevents all of the attacks mentioned since they rely on being able to execute the contents of the file directly. If this is not possible, and you felt so inclined, you could open the image using PHP/GD or PHP/Imagick and remove any <?php ?> tags from the comment.
