Reputation: 530
Saving an upload image's extension
Is it necessary to abandon an uploaded image's extension when saving it above document root? I'm thinking of calling the image through img.php?i=thisImage.png, where inside the name of the image is run through mb_split('.',$_GET['i']) and the latter is used as inside header('Content-Type: image/$img[1]'). As my personal opinion, it doesn't seem to matter either way, be it img.php?i=thisImage.png or img.php?i=thisImage, but I'm always about tightening security.
Also, what are some of the best methods, aside from a PHP proxy with Content-Type: Content-Length: and serving the images from above document root? I've heard mixed opinions about copying the image from source through IM, but as I've said they're mixed opinions.
Upvotes: 0
Views: 157
Answers (1)
Reputation: 4079
I know of no problems with leaving the file-name alone, if the file is saved outside the web-accessible area and pushed to the client through a script.
The method I use (in KFM, and in my CMS), is to use mod_rewrite to redirect calls to a script which will retrieve the file for you.
For instance, if you have the URL /f/file.jpg, but the file is actually located at ../files/file.jpg, then you use mod_rewrite to "catch" the request and redirect it to a script. For instance:
RewriteRule ^f/(.*)$ /get-file.php?filename=$1 [L]
then write get-file.php, using something like readfile() to pass the file through
Upvotes: 1
Related Questions
- Full Secure Image Upload Script
- Secure image upload in php
- How To Perform Secure Image Upload Using MIME Instead Of Allowed File Types Which Detects Image Extension Only
- Secure User Image Upload Capabilities in PHP
- php image upload extension
- best secured way to guess file extension
- PHP image upload security approach
- Php file image upload security
- image upload security
- php image storing - security