Re: CURL vs Exif_imagetype()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 20-09-2012 13:48, Rango wrote:

Hi,

I host a flash painting tool on my site, and wanted to add ability for the
users to add a background image from a given url, but I have to make sure
the url they add truely refers to a real jpg file, and not something else.

I found a methoed with exif_imagetype() that worked except my webhost has
disabled the allow_url_fopen due to security issues, instead they
recommented me to use CURL and said that the exif_imagetype() is not a
modern way to use php today. (what do I know)?

Question: Is it possible for me to use CURL to verify the authenticity of a
jpg file?

...and if so, how? Regards from Rango`




Hi Rango,
without actually having the actual imagefile at your disposal, it is impossible to determine if it's a valid imagefile or not. Curl is just a set of function which help you in downloading that imagefile, it does not in any way help you to figure out if an image is valid or not.
Your host probably told you that instead of giving an URL as the argument to exif_imagetype() you should use curl to download the image, and then pass a LOCAL path to exif_imagetype() instead. You simply misinterpreted what they tried to tell you.
The reason for this is that the curl library is specifically created to handle internet connections (and download, upload, post, etc.). Whereas when allow_url_fopen is set to true, then all possible PHP functions can suddenly try to download anything they want. This leads to a massive increase in the chance of getting malicious scripts to run on your webserver. Now, instead of opening all possible php functions to this problem, they only allow curl to 'open urls', and as such limit the potential problems. 

So:
1. use curl to download the file (but first make sure it's not too large)
2. then (still) use exif_imagetype on that downloaded (and locally stored!) file 
3. remove the file from your system
Note however, that exif_imagetype is not perfect, and will at times reject valid images. Though it doesn't happen very often. 

- Tul

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux