> Jpgs can hold other data rather than image data > One thing to try is to run strip_tags($image) to remove any php code > http://stackoverflow.com/questions/3499173/my-php-site-was-hacked-by-codes-u ploaded-as-image > http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/ > > Bastien I understand the principle behind include('pages/' . $_GET['page'] . '.php'); http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00 Which I find ridiculous if anyone did that. I am not sure how he was calling the image to be sure. I watched him upload the image and then Do what looked like a normal echo UPLOADED_IMAGES.$_FILE["name"]; You seen phpinfo() called but it was not in the script rather in the image. He opened the test.jpg in a text editor and sure enough there was <?php phpinfo(); ?> in the code of the jpeg. This bothers me because I am not sure what all he did. He was proving PHP is not a safe language in front of a rather large group or people in the meeting. I could only look on in disbelief that it just happened in front of me. Everything inside of me wants to say he was doing something outside of what I consider normal circumstances. My question is this: If someone uploads a image through a form or whatever and they have embedded a code in can that code inside the image be executed by viewing the file? $image = 'uploaded.jpg'; Echo "<IMG SRC='".$image."'>"; Read this: http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-writt en-in-php-and-carried-in-a-jpeg-image/ That was written a couple months ago. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
