I have this image upload form that only allows images under 350kb and with extensions of jpeg jpg gif and png.

And I just want to make sure it is safe and secure!

First off heres the code:

PHP Code:

<?php
//define a maxim size for the uploaded images in Kb
 define ("MAX_SIZE","350"); 

//This function reads the extension of the file. It is used to determine if the file  is an image by checking the extension.
 function getExtension($str) {
         $i = strrpos($str,".");
         if (!$i) { return ""; }
         $l = strlen($str) - $i;
         $ext = substr($str,$i+1,$l);
         return $ext;
 }

//This variable is used as a flag. The value is initialized with 0 (meaning no error  found)  
//and it will be changed to 1 if an errro occures.  
//If the error occures the file will not be uploaded.
 $errors=0;
//checks if the form has been submitted
 if(isset($_POST['Submit'])) 
 {
     //reads the name of the file the user submitted for uploading
     $image=$_FILES['image']['name'];
     //if it is not empty
     if ($image) 
     {
     //get the original name of the file from the clients machine
         $filename = stripslashes($_FILES['image']['name']);
     //get the extension of the file in a lower case format
          $extension = getExtension($filename);
         $extension = strtolower($extension);
     //if it is not a known extension, we will suppose it is an error and will not  upload the file,  
    //otherwise we will do more tests
 if (($extension != "jpg") && ($extension != "jpeg") && ($extension != "png") && ($extension != "gif")) 
         {
        //print error message
             echo '<h1>Unknown extension!</h1>';
             $errors=1;
         }
         else
         {
//get the size of the image in bytes
 //$_FILES['image']['tmp_name'] is the temporary filename of the file
 //in which the uploaded file was stored on the server
 $size=filesize($_FILES['image']['tmp_name']);

//compare the size with the maxim size we defined and print error if bigger
if ($size > MAX_SIZE*350000)
{
    echo '<h1>You have exceeded the size limit!</h1>';
    $errors=1;
}

//we will give an unique name, for example the time in unix time format
$image_name=time().'.'.$extension;
//the new name will be containing the full path where will be stored (images folder)
$newname="images/".$image_name;
//we verify if the image has been uploaded, and print error instead
$copied = copy($_FILES['image']['tmp_name'], $newname);
if (!$copied) 
{
    echo '<h1>Copy unsuccessfull!</h1>';
    $errors=1;
}}}}

//If no errors registred, print the success message
 if(isset($_POST['Submit']) && !$errors) 
 {
     echo "<h1>File Uploaded Successfully!</h1>

";
 }

 ?>

 <!--next comes the form, you must set the enctype to "multipart/frm-data" and use an input type "file" -->
Max file size: 100kb
 <form name="newad" method="post" enctype="multipart/form-data"  action="">
 <table>
     <tr><td><input type="file" name="image"></td></tr>
     <tr><td><input name="Submit" type="submit" value="Upload image"></td></tr>
 </table>    
 </form>

One thing I was wondering is if its ok that its being saved in my public_html folder.

Should I have it put the images somewhere else?

How?

And I heard that someone might be able to make a php file desguised as a imag and upload it.

Is this possible with this form?

I just want to make sure its completely safe and no one can harm my website.

Thanks.

1. If you need your images to be publicly accessible you should put them so that they cold be read by your webserver directly.

2. To avoid handling uploaded files that are not images use getimagesize(). If it returns false the file is definitely not an image file. I'd also recommended to use getimagesize() to determine file type instead of relying on it's extension.

Quote:

Originally Posted by mtishetsky

1. If you need your images to be publicly accessible you should put them so that they cold be read by your webserver directly.

2. To avoid handling uploaded files that are not images use getimagesize(). If it returns false the file is definitely not an image file. I'd also recommended to use getimagesize() to determine file type instead of relying on it's extension.

Unfortunately im not very good at php.

Can you tell me how I do this?

Or is there a tut somewhere?

If there isnt im sure ill be able to figure it out though.

Thanks!

Well, if you are talking about second point, it would be something like this:

PHP Code:

<?
    function getExtension($file) {
        $allow[IMAGETYPE_GIF]  = 'gif';
        $allow[IMAGETYPE_JPEG] = 'jpg';
        $allow[IMAGETYPE_PNG]  = 'png';

        if (!is_file($file)) {
            echo "File not exists";
            return false;
        }

        $info = getimagesize($file);
        if (!$info) {
            echo "Is not an image";
            return false;
        }

        if (!isset($allow[$info[2]])) {
            echo "File format is disallowed";
            return false;
        }

        return $allow[$info[2]];
    }
?>

and then

PHP Code:

<?
    $ext = getExtension($_FILES['image']['tmp_name']);
    if ($ext) {
        $filename = time().'.'.$ext;
        do_something();
    }
    else {
        fail();
    }
?>

So just add those two codes to the code?

Thats easy enough.

So its just like more restrictions and then if it doesnt come true it will be an error and it wont upload. cool.

Thanks

Quote:

Originally Posted by josephcohen

So just add those two codes to the code?

Thats easy enough.

So its just like more restrictions and then if it doesnt come true it will be an error and it wont upload. cool.

Thanks

O umm do you think you can just put my code and ur code together so i have a final code.

Cause im not sure if theres anything i need to erase in my original code.