Reputation: 395
Safely upload gif images
I'm wondering about the safety of this. I only wanna allow gif images with the maximum size of 64 Kbytes. Is it safe to use the accept attribute? i.e accept="image/gif"
The very little php:
if (isset($_REQUEST['upload'])) {
move_uploaded_file($_FILES['file']['tmp_name'], '../images/logos/'.str_replace(" ", "_", $name).'.gif');
}
My form looks like this:
<form action="upload.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="65536">
<input type="file" name="file" size="40" accept="image/gif">
</form>
Now is it safe using the accept attribute?
Upvotes: 0
Views: 142
Answers (2)
Reputation: 12900
Trust nothing.
If the content comes from the web, assume everything is wrong when you get it.
With web applications nothing you put in the HTML should be considered a true safety mechanism from the server side. The tools that HTML and JS provide can be very helpful for provided a good user experience and helping reduce the number of basic mistakes in what is sent back to the server, but bad actors will simply by-pass your HTML/JS protections and send what they like. What's even more fun is that bots will test forms for basic errors even on low traffic sites, if you're not careful that can fill your server with junk.
You need to be prepared to protect against (at least):
- Wrong file type (a bot will likely test this quickly).
- Too large a file (a bot will likely test this quickly too).
- Characters in the file name that are invalid on your server's file system (rare, but comes up).
- Malicious content in the files (if you're going to allow them to be available to the general public worry a lot about what's in them).
Upvotes: 1
Reputation: 13649
Definitely not, as one could change page code on client side and submit whatever they want to your server. This applies to the file size too. You should validate the file server-side, checking against its MIME content-type. You could do that preferably with getimagesize() function.
Improving your server-side code:
if (isset($_REQUEST['upload'])) {
list(,, $image_type) = @getimagesize($_FILES['file']['tmp_name']);
if (filesize($_FILES['file']['tmp_name']) <= 65536
&& $image_type === IMAGETYPE_GIF) {
move_uploaded_file($_FILES['file']['tmp_name'],
sprintf('../images/logos/%s.gif', str_replace(' ', '_', $name)));
}
}
You can improve that even more splitting checks and raising error messages to the user. I'll leave that for you.
Upvotes: 2
Related Questions
- Can a GIF/JPEG file contain runnable PHP code?
- Upload gif images to the server without lossing animation using PHP
- PHP. Upload .gif file to server
- How to upload a safe image with PHP?
- Ways to stop people from uploading GIFs with injections in them?
- GIF files are not uploading in php script
- Php image type upload problems gif png
- Safe way to upload GIF
- Safe image download from PHP
- Problem wiht wrong file format (gif insted of jpg) when saving images from server - PHP