Reputation: 2623
Asking user to upload images or using remote images
I'm working on a portal that requires users to upload the images which wil be shown in a certain HTML pages. What should be the good practice here ?
Should I avoid uploading and ask users to give their own URL for the images ?
Ask users to upload image files.
Since we know, an image can be a deadly one if it contains code injection, but what about the remote ones, are they secure ?
Thanks
Upvotes: 1
Views: 133
Answers (3)
Reputation: 363
In addition to Ghulam Ali's suggestions:
Make sure to sanitise the filenames. Best is to generate new filenames for user uploaded media.
Have the upload directory with only writable user permissions but that might lead to some complications.
Apart from tackling the security issues, you will also need to figure other important stuff such as orientation as media taken from a mobile device may have random orientations.
Upvotes: 1
Reputation: 1935
It depends on your website consistency. Uploading is much better than entering URL for example if the targeted audience is a professional clients they would prefer uploading as it would be difficult to explain to them what is a remote url and how to get it. But uploading is a more traditional way and feels more easy.
On the other hand if most of your targeted audience is internet users then there might be no need to give upload option. But as I said uploading feels much more natural and easy to users. It also depends on the type of images, if the images are the user's avatar then uploading would fit and if the users are adding images to your website to only share images they found from other websites then remote url would be more appropriate.
Both uploading and fetching remote ones to your server could be deadly, but if you use remote ones just to store the urls in your database then it will create no security problem.
So if you want upload feature or storing the remote images to your server you must do some certain steps to ensure the security of your server:
Verify the file extension and mime to be of valid image. (Don't rely only on this.)
Verify it's a valid image file (using php getimagesize)
Resize and copy the image into a new image object. And store that image into your server.
The folder where you are going to store must have all kinds of code executions disabled by using .htaccess (SetHandler default-handler)
Upvotes: 2
Reputation: 1161
Well, it depends on the nature of the project.
In fact any method could be fine, but you should validate and filter the user input.
There is a lot of options to validate a file if it is an image or not. The getimagesize() function from php could be mentioned as an example, since every image file has to have a resolution and other relevant data.
There are other questions on SO here which answer yours too, you just need to take a look.
Upvotes: 1
Related Questions
- How can I vertically center a div element for all browsers using CSS?
- How to display Base64 images in HTML
- How can I sanitize user input with PHP?
- How do I reduce the opacity of an element's background using CSS?
- Is either GET or POST more secure than the other?
- How to change the href attribute for a hyperlink using jQuery
- how to upload image file from url using FileReader API?
- How should I ethically approach user password storage for later plaintext retrieval?
- where is the best place to save images from users upload