Up to date secure PHP image uploading

Question

I need to implement a secure PHP file upload script. What current methods are you using to ensure that your script is secure?

I will be whitelisting allowed extensions, and ensuring that Apache is running as the user to avoid the need for 777 permissions by default.

Uploaded files will be images, and I have MySQL access. Users will need to be able to see their files once uploaded.

Thanks!

Answer 1

Do as you're saying to check file extensions, but to verify that an uploaded file with a proper extension is actually what it says it is, try running it through imagemagick using the verify command. It's a simple solution that seems one of the very few ways to guarantee without a shadow of a doubt that the image is as it claims to be.

Also, make use of the PHP Function is_uploaded_file to add an extra level of security.

Hopefully it goes without saying, but PDO should be used for database transactions on all aspects of PHP.

Finally, remember that if you use javascript for any validation, that it can easily be overridden by a semi-competent web user. Client-side validation is more responsive to the user, but always back it up with proper server-side checks.

Answer 2

For some advise to avoid malicious files from being uploaded, see the answers to Ways to stop people from uploading GIFs with injections in them?.

The other important thing is to avoid SQL injection. Any data that can modified by an attacker (cookies, user-agents, query string, POST data (including uploaded file names), headers, dynamic pathnames etc.) should not be used without being passed trough mysql_real_escape_string or the MySQLi equivalent first. In case of integers, use the intval() function.