Image Uploading &amp; Security ??

Image Uploading & Security ??

dr4296

Greetings All !

I'm writing an app where I'd like to do something similar to what a lot of forum apps do: Allow users to upload their own avatar images.

Now, I'd like to know what's the most secure way to go about doing this? I don't mean how to code it, but rather, the overall method of doing this in a secure way.

I guess I'm a bit "gun-shy" because a few years ago, when I was a hosting reseller, somebody hacked into one of my customer's sites via their php image gallery software. They uploaded something that obviously was not an image. I don't recall the exact details (what file extension they used, how they were able to execute it, etc).... but I certainly don't want a repeat of that.

And it seems to me that what with all of this forum software out there with folks uploading and using their own avatar images for all the world to see, there must be some fairly standard practice of doing this... something that apparently isn't exploited very frequently?

Thanks!

-= Dave =-

dagon

use mime_content_type() or exif_imagetype(), to determine the file type

bradgrafelman

I would say use something like [man]getimagesize/man so that you can a) verify that a valid image file was uploaded (not just any file with an arbitrary extension, OR any file even with a valid image file extension such as .jpeg), and b) impose size restrictions if desired.