Member Avatar for phoenix254

I am trying to creating a website, i want to know which of these function is more secure to upload the image on database ?

1.) getimagesize

2.)get_file_contents

3.)cURL

Thanks a lot!!!

  • 2 Contributors
  • 4 Replies
  • 641 Views
  • 6 Days Discussion Span
  • Latest Post Latest Post by cereal

Recommended Answers

All 4 Replies

Member Avatar for cereal

Hi, getimagesize() is a function to evaluate the pixels of an image, the type and the attibutes (a stringed version of height and width), it returns an array. For example:

Array
(
    [0] => 20
    [1] => 10
    [2] => 2
    [3] => width="20" height="10"
    [bits] => 8
    [channels] => 3
    [mime] => image/jpeg
)

So it is not directly used to upload an image, it is used to define the image type, and usually is used in the validation step, after the upload.

The file_get_contents() function is used to get the content from a file which can be locale or remote. The cURL library is used to perform requests to remote servers, which means it can be an upload to another server or a GET request to download an image from a remote resource (ftp, web server, API).

So the question is: are you trying to get the image from another server?

To upload an image from a client computer, instead, you need a form, basically:

<form method="post" action="upload.php" enctype="multipart/form-data"
    <label for="image">Upload an image</label>
    <input type="file" name="image" id="image" />
    <input type="submit" name="submit" />
</form>

And then, in the upload.php script, you have to check the contents of the $_FILES array:

print_r($_FILES['image']);

For more information check these docs:

Edited by cereal
Member Avatar for phoenix254 
$con=mysqli_connect("localhost","root","","user_registration");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
  else{

    $cur="USERS/";
    $des= $cur.$_SESSION["sess_useremail"].'/';
    $filename = $des;
    //$gb=5 000 000 000;
    //echo filesize($filename) . ' bytes';
        if (isset($_POST['submitt'])) {
            if(!empty($_FILES["upimage"]["name"])) {
                $file_name = $_FILES['upimage']['name'];
                $file_tmp =$_FILES['upimage']['tmp_name'];
                $count=0;
                $target_file =  basename($_FILES["upimage"]["name"]);
                $image_ext = pathinfo($target_file,PATHINFO_EXTENSION);
                $validate = getimagesize($_FILES["upimage"]["tmp_name"]);
                if($validate !== false){
                    $count=1;           
                }else{
                    $count=0;
                    echo "<script>alert('Please select valid Image');</script>";
                }
                if ($_FILES["upimage"]["size"] > 16777216) {
                    echo "<script>alert('Sorry, your file is too large.');</script>";
                    $count=0;
                }
                if($image_ext  != "jpg" && $image_ext != "png" && $image_ext != "jpeg" && $image_ext != "gif" ){
                    echo "<script>alert('Sorry, only JPG, JPEG, PNG & GIF files are allowed.');</script>";
                    $count = 0;
                }

                if ($count == 1){
                    move_uploaded_file($file_tmp, $des.$file_name);
                }else{
                    echo "<script>alert('Sorry, your file was not uploaded.');</script>";
                }

            }else{
                echo "<script>alert('Please select a image');</script>";
            }
        }
 }
Member Avatar for phoenix254

is this safe script ?

Member Avatar for cereal

The script is fine enough, I would not use the original name to save the file, because this can overwrite existing images, I would assign to each image an UUID.

But there are other steps to execute or to consider with attention:

  1. save the image into a directory in which PHP cannot be executed
  2. and process the image to remove the metadata (comment blocks, EXIF and IPTC data)

Point 1 is easy to fix, just include an .htaccess file in your images directory with the following:

SetHandler default-handler
php_flag engine off

Point 2 is not always considered, but PHP or even Javascript can be included in a perfect working image, and be executed when requested by the client, opening the website to backdoors. Disabling the PHP engine will not block the execution of Javascript: the only solution is to remove the metadata blocks from the images.

If you are not going to resize the images you can use ImageMagick to strip the metadata off, for example:

<?php

    $im = new Imagick();
    $im->readImage($image);
    $im->stripImage();
    $im->writeImage($image);
    $im->clear();
    $im->destroy();

From command line:

<?php

    $cmd = sprintf("convert --strip %s %s", $image, $image);
    system($cmd);

Some extra tools about image optimization (which can also remove metadata) can be found here:

Last note: are you using the user's email address to define the path in which you will save the images? What happens if they can change the address, the path will be renamed or you will go to create a new path, loosing the references to the old images? If you really want to do something like this, consider to use an UUID, assign it to each user, so no matter what they do the UUID will be always the same.

About UUID check this library or generate it through the database, with MySQL is easy:

SELECT UUID();

Docs: https://dev.mysql.com/doc/refman/5.6/en/miscellaneous-functions.html#function_uuid

Bye!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.