Error handling/security concerns for image file uploads

I saw this code for a server to receive an image file upload from a user’s smartphone:

<?php
print_r($_FILES);
$new_image_name = "namethisimage.jpg";
move_uploaded_file($_FILES["file"]["tmp_name"], "/srv/www/upload/".$new_image_name);
?>

It was taken from this page: http://zacvineyard.com/blog/2011/03/upload-a-file-to-a-remote-server-with-phonegap

Shouldn’t it have some code to check that the server isn’t receiving a malicious file? Or is that a concern regarding uploading photos from smartphones?

I found this code to validate the file:


<?php
if (preg_match('/^image\\/p?jpeg$/i', $_FILES['upload']['type'])
or preg_match('/^image\\/gif$/i', $_FILES['upload']['type'])
or preg_match('/^image\\/(x-)?png$/i', $_FILES['upload']['type'])
{
...
} else {
$error = 'Please submit a JPEG, GIF, or PNG image file.';
include $_SERVER['DOCUMENT_ROOT'] ;
exit();
}
?>

… but I don’t know how to integrate the two codes.

Can you help? Thanks!

Hi Steve!

It doesn’t matter if somebody is using a smartphone, a desktop or a watch to call something (could be a web service, a web page, whatever) through HTTP (and even HTTPS). It’s not difficult to sniff HTTP traffic coming from something you own. So, you’re uploading a picture from a smartphone to a web service? It’s easy to find the “URL” of the Web service and write a small app on a desktop that uploads anything to that web service.

So yes, you should validate that it’s really an image. But the code you pasted seems a little simple compared to the example I found. Here’s what I looked for in Google: “secure image upload php”

Here’s what came up:
http://stackoverflow.com/questions/17582046/secure-image-upload-in-php
http://stackoverflow.com/questions/4166762/php-image-upload-security-check-list
http://indrek.it/bulletproof-image-upload-security-guide-for-developers/
http://security.stackexchange.com/questions/32852/risks-of-a-php-image-upload-form
http://nullcandy.com/php-image-upload-security-how-not-to-do-it/

Personally, I never had to validate images uploaded on the Internet (only “closed” applications, so the security was less of an issue)
So, I think you have a little bit of reading to do :wink:
(Or if you’re lucky, somebody else in the forum already did that and he will give you his advice)

Good luck! Tell me what you came up with! :slight_smile:

which includes the following to validate that the file contains an image

// verify the file is a GIF, JPEG, or PNG
$fileType = exif_imagetype($_FILES["myFile"]["tmp_name"]);
$allowed = array(IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_PNG);
if (!in_array($fileType, $allowed)) {
    // file type is not permitted
    ...

One possible way (though I’ve never tested it) would be to use the GD library to create an image from either a gif, jpeg or png file, using the appropriate function, if the function reports a failure, assume the file to be dodgy and delete it

Thank you for all the help. I’ll cobble together the code and test!