For testing whether they are images, you can:
- check and/or correct their extension
- try loading them with a graphics library like libgd -- if it succeeds, it's an image and you don't have to fear it
I have been reading up on file upload security and the guidance (see here: http://www.scanit.be/uploa
1. Keep uploaded files in a folder NOT accessible by the browser - i.e. out of your webroot.
2. Change the file names so that they are not the same as the uploaded file and not easily guessed
In my script I check that it is an image file (as that is what I am uploading) and I check sizes and the like but that is not enough. I do number 2 above as I have to keep them in a database attached to the members' profiles.
However, I am having some difficulty sorting out how exactly to do number 1.
When the image is uploaded it is stored in the file area, but when I want to display it, I don't just want to send the raw image. I want it to be resized to thumbnail and to also be part of a lightbox object so that when clicked it is accessible. It is all currently working with the directory within the webroot, but I can't get it to work if the directory is outside the webroot.
Presumably, this is because the browser cannot find the location (not in webroot) and so I can't use html to tell the browser how to treat it. So, I could use PHP to send the stream (imagejpeg for eg) to the browser, but I also want to be able to pass the resize parameters and the lightbox links.
Now, I could always hold copies of the images as thumbnails and remove the first issue, but I can't see quite how I can wrap the html around an image stream from PHP.
I thought about using a temporary file in the webroot - so picking it up from outside, creating a temp in a webroot folder and then using that for the html. It seems a lot of messing around.
So, first question is - is this necessary? Is the security chap correct here? Should the files be stored outside the webroot for security?
If so, then how best may I achieve the equivalent of the following code which uses a file in the webroot.
Many Thanks - and I hope I've explained that clearly!
For info my web root is under /srv/public/html/domain.co
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
For testing whether they are images, you can:
OK - let me check out just what libgd is - not heard of that and I'll get back to it. Many Thanks. I'm just trying to ensure that no-one injects php/other executables into my files and if they did then they couldn't use it.
If that makes sense... Probably could have written that better!
Cheers. Laters
LibGD is a graphics library that you can use from PHP. It allows you to create and modify images. You can use e. g.:
$img = @imagecreatefromjpeg("file
if(!$img
//image loading has failed, we can throw it away
}else{
//image OK, you can move it inside your web root
}
See the manual: http://cz2.php.net/manual/
Hello highlawn, I agree with spule, about the suggestion to first place uploaded files in a non-web accessible folder , ONLY for testing, and or manipulation (thumbnails, watermarks), and then place the checked files, and or thumbs, in a web accessible folder. BUT you may have other concernes for having non accessible image flies. here is some code I have used to get images in non accessible folders to a web page -
first is the code for the imggif.php
OK, many thanks I will give this a go. So, effectively, what we are saying is that the libgd "test" will prove conclusively that the image is a bona fide image with no injected code whereas the construct
list($width, $height, $type, $attr) = getimagesize($_FILES['imgf
would return good even if code were in it?
As a consequence if we get the libgd seal of approval from any of the following (depending on image type)
$imgjpg = @imagecreatefromjpeg("file
$imggif = @imagecreatefromgif("filen
$imgpngg = @imagecreatefrompng("filen
then we have no worries and it can be loaded into our web directory safely - thus obviating the need for any permanent off web storage?
Let's just hope my php has libgd compliled!
OK, you seem to want an "ultimate" guarantee that all security risks are gone, but you can not ever get rid of all security risks. I have to consider security with my web sites. And I do some things, BUT, for me, some things (methods, checks) are just TOO MUCH.
I had time today to read more of the php-file-upload.pdf that you reference above. In it he says -
"Checking that the file is an image is not enough to guarantee that it is not a PHP script"
and he uses the getimagesize( ) for his image test, which I think is also a part of the php GD image lib. and may be just as good as the imagecreatefromjpeg( ) test. . . What I would ask myself is, do I have information on my site (financial passwords, credit card numbers, bank account log-in) that a hacker would go to the considerable trouble of doing the perl, php, shell, and other hacks that you are trying to prevent. If not, then you may only need moderate safeguards. All web servers have their own security methods set up, some will not allow the perl, and php hacks that he talks about.
For me, if I have concerns about Image security, I just use the GD functions to copy the upload Image to another image, and save that Image as the one that will be available for user viewing. This is also useful for User uploads from those that take those very Large digital camera pics, and have no Idea how to reduce them to a web page view size, and just upload a 10 mega-pixel image for a 100x100 user pic.
Ultimate guarantee would be cool - but I'm realistic enough to understand that there is no such thing. I'm pretty new at this game so I just wanted to check I'd interpreted what you two had said.
I do take your point regarding numpty users uploading huge images though :(
I think also that changing the file name is a good idea as I'm loading user images against profiles and just to keep track ot the images, I call the file profile_id."-".image_numbe
so are pretty unguessable.
Thanks for assistance. I'll split the points.
Business Accounts
Answer for Membership
by: spulePosted on 2009-08-15 at 03:22:17ID: 25104759
My opinion: Upload these files somewhere outside yout web root. When they are uploaded, your PHP script should check them. If they're really just images, move them inside your web root so that they are accessible. Otherwise, throw them away.