getimagesize() - I wouldn't worry about people trying to upload scripts - assuming you limit file-extensions to .gif, .bmp, .jpg, etc. .jpgs generally don't get executed - unless you have a screwed up webserver install. The best they will be able to do is have others download the script / code. What I would worry about is people using your image store to share information other than what the subject of the image looks like - like encoding mp3's using stenography - or something like that. Perhaps either an apache directive to not-execute, or store everything below the webroot, and readfile() them out. On 5/14/06, Nick Wilson <nick@xxxxxxxxxxxxxxxxxx> wrote:
Hi all, are there any security concerns with uploaded images? My thought is that it wouldnt be too hard to have some kind of script masquerade as a gif file, and perhaps cause damage. I cant find anyway to check a file really is a gif/png/jpg (i assume the mimetype available in $_FILES could be spoofed). I'd welcome any thoughts in general on this, but specifically if anyone has experience/knowledge in this area and can point me in the right direction. Many thanks! -- Nick Wilson Tel: +45 3311 2250 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
