Need sanity and safety ideas

Mahngiel

The site I'm putting together will house the ability to upload a picture as an avatar. I used some pretty wild code to do it all, as I'm pretty new to the game. The essence of what happens in steps:
1) User uploads a file that must be jpg, png, or gif
2) The file is renamed to the user's name based off the cookie and stored in a dir/
3) The name of the file extension is captured into a table
4) The site then shows the user's avatar

I'm hoping some of you more versed coders could input on your own methodologies on how to implement what I've done a bit better. Here are my codes and some explanations.

Upload.php

<?php
include('header.php');echo
'<html>
<body>
Change '.$name.'s avatar. <br />
<form action="upload_file.php" method="post" enctype="multipart/form-data"><br />
	<label for="file">toast:</label><br />
	<input type="file" name="';echo $name;echo'" /><br />
	<input type="submit" name="submit" value="Upload File" />
</form>';
?>

Simple. Effective. Only thing to note is I've used the cookie info to identify the name of the file. The intent was to make this safer and prevent unauth'd uploads.

header.php (parts)

//ava dir
$avatar_dir = 'avatars/';
//$_FILES info
$tmp_name = $_FILES[$name]["tmp_name"];
$avatarftype = $_FILES[$name]["type"];
//Break up generated ['type'] to extract image type only
$fext = explode("image", $avatarftype);
$fext = str_replace("/", ".", $fext);
$ava = $fext[1];
//Combine user name w/ extension and store it in db
$myava = ($name.$ava);
$avatarpull = mysql_query("SELECT avatar FROM content WHERE uname = '$name'");
// Fetch avatar for use
$avatype = mysql_fetch_assoc($avatarpull);
$avatar = $avatype["avatar"];

I assign all the vars and arrays in my included header file, so i have easy access while I'm creating the site. Any explanations are below.

Upload-file.php

<?php
include('header.php');

// Determine file types and size
if ((($_FILES[$name]["type"] == "image/gif")
|| ($_FILES[$name]["type"] == "image/jpeg")
|| ($_FILES[$name]["type"] == "image/pjpeg")
|| ($_FILES[$name]["type"] == "image/png"))
&& ($_FILES[$name]["size"] < 60000)){

//Notify if error
if ($_FILES[$name]["error"] > 0){
    	echo "Return Code: " . $_FILES[$name]["error"] . "<br />";
}else{

// Upload it to server and log into database
    move_uploaded_file($tmp_name, $avatar_dir.$name.$ava);
    mysql_query("UPDATE content SET avatar = '$ava2' WHERE uname = '$name'");
	}    

//Kick out
}else{
  echo 'Invalid file,';
   }

?>

I kept getting awkward results when trying to rename the file to the user's name, so I had to explode and replace a little bit. This dropped 'image/png' from the file type, and left me with just png (or jpeg/gif). After that was done, the file was uploaded into the server with their name, and into the database. This prevents upload abuse and makes the call later on easier.

So when user 'John', uploads 'funnyhaha.gif' into the server, it gets renamed to "John.gif" and stored into the db. All i have to do is invoke the vars into the page as so to display his avatar:

<img src="'.$avatar_dir.$avatar.'" height="100px" width="100px" />

What you guys think?

bradgrafelman

Mahngiel wrote:
Only thing to note is I've used the cookie info to identify the name of the file. The intent was to make this safer and prevent unauth'd uploads.

Really? I would have said that you did the opposite and made it less safe, since cookies are client-provided values. In other words, I could easily tell my browser to tell your server that I've got a cookie for user 'Mahngiel' instead of 'bradgrafelman' and your code would be none the wiser.

Mahngiel wrote:

// Determine file types and size 
if ((($_FILES[$name]["type"] == "image/gif") 
|| ($_FILES[$name]["type"] == "image/jpeg") 
|| ($_FILES[$name]["type"] == "image/pjpeg") 
|| ($_FILES[$name]["type"] == "image/png")) 
&& ($_FILES[$name]["size"] < 60000)){

Your code comment (and thus assumption of security) is actually incorrect. You aren't determining file types, you're determining what the user claimed the file types were.

I could just as easily upload a .exe file and claim that it's an "image/jpeg" and your code would be none the wiser.

Mahngiel wrote:
So when user 'John', uploads 'funnyhaha.gif' into the server, it gets renamed to "John.gif" and stored into the db

Okay, but since cookies are easily spoofed/modified, what if user '../hijack_server' uploads 'malicious_code.php' which he claims is of type 'image/jpeg' ? Now you've got a file called 'hijack_server.jpeg' sitting outside of your upload directory which isn't an image at all.

Mahngiel

Thanks for your valuable input, I'll do some more research into making this better.

To address your points:

bradgrafelman;10975930 wrote:
Really? I would have said that you did the opposite and made it less safe, since cookies are client-provided values.

Fair enough, however, i don't see how it makes the process any less safe. If it were the default as name="upload" on the form and $_FILE['upload']['type'] on the script end, it wouldn't be any different security-wise.

bradgrafelman;10975930 wrote:
Your code comment (and thus assumption of security) is actually incorrect. You aren't determining file types, you're determining what the user claimed the file types were.
I could just as easily upload a .exe file and claim that it's an "image/jpeg" and your code would be none the wiser.

I've taken a look at some options and believe that using a function to determine mime type and dimensions should be a better approach.

bradgrafelman;10975930 wrote:
Okay, but since cookies are easily spoofed/modified, what if user '../hijack_server' uploads 'malicious_code.php' which he claims is of type 'image/jpeg' ? Now you've got a file called 'hijack_server.jpeg' sitting outside of your upload directory which isn't an image at all.

Ok, so if not using the cookie to approach how to rename the file, how do you suggest doing so? The entire intent is to limit the upload per user to one image and make callbacks easy by storing the image name and extension in the same row as the user.

Mahngiel

What's with the edit settings on these boards? Anyway, in regards to your point, brad, about the cookie being changed on the client-side, I did some research. I took some time to research this, and I understand your point from what I gave you. However, because I was only requesting feedback on this little interface here, I failed to mention that the user is authenticated against the server database.

My freshness to PHP did not provide me with the adequate skill to respond to you initially, because I assumed it was interperated by the use of cookies. I have since learned that cookies can be set in a variety of ways, including no need to cross-check the information.

vicodin

Why not give the file a random name and store the name of that file in your DB which another field which has the owner of the file?