+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Secure File Upload (/showthread.php?tid=7626)
Secure File Upload - El Forum - 04-16-2008
[eluser]Firestorm ZERO[/eluser]
I'm adding the ability for users to upload images that can be later be view by others. I see CI already has file upload class so that makes things easier. This is my first doing this. And I would like to do this as secure as possible. So if anyone can give me a quick run down and see if I'm doing it right.
Here's my plan...
- the file upload class to restrict to just images
- the directory of the folder will be set to 755
- the images will have a hash for their filenames
- the DB will hold unique_id and the file hash and original file name
- have an image-view script to call the DB by the unique_id to get the file
Secure File Upload - El Forum - 04-17-2008
[eluser]obobo[/eluser]
I'm really new to all of this .... What is the advantage in creating a unique id in db for each image rather than just using the hash and accessing the files directly? Is it a serious security risk to not store the image in a db and access by file name?
Secure File Upload - El Forum - 04-17-2008
[eluser]Firestorm ZERO[/eluser]
From what I read, they say you shouldn't access the files directly and have a script to pull the data instead. And well a hash using microtime should be technically not collide but I guess that 1 in a billion chance it can. But I am reading like either old or conflicting tutorials off google.
Secure File Upload - El Forum - 04-17-2008
[eluser]xwero[/eluser]
I'm not sure what you're exactly after. the topic title is secure file upload but in the topic itself you are speaking about protecting the files (images) against downloading?
Secure File Upload - El Forum - 04-17-2008
[eluser]Firestorm ZERO[/eluser]
I guess I should of said the best way to safely have users upload files (specifically images) and display them on the website.
Because I been reading like malformed JPGs to get around checks and such that have php scripts in them. Or am I just get getting overly paranoid over nothing @_@
Secure File Upload - El Forum - 04-17-2008
[eluser]xwero[/eluser]
This is what you are after
Code:
switch ($_FILES['namefromform']['type']) {
case 'image/png':
case 'image/x-png':
$img = @imagecreatefrompng($_FILES['namefromform']['tmp_name']);
break;
case 'image/jpeg':
case 'image/pjpeg':
case 'image/jpg':
$img = @imagecreatefromjpeg($_FILES['namefromform']['tmp_name']);
break;
case 'image/gif':
$img = @imagecreatefromgif($_FILES['namefromform']['tmp_name']);
break;
default:
$img = false;
}
if (!$img) {
// error
} else {
imagedestroy($img);
}The mime type only checks the file header so it's a flawed security check but on the other hand not all image files can be created with the gd library and it takes more time in the overall upload procedure.
Secure File Upload - El Forum - 04-17-2008
[eluser]louis w[/eluser]
Never saw imagedestroy before, should it be a big worry that memory gets tied up when uploading images?
Secure File Upload - El Forum - 04-17-2008
[eluser]xwero[/eluser]
It's always best to keep as much memory free as possible. If you rely too much on the garbage collector you will get memory exhausted errors faster.
Secure File Upload - El Forum - 04-17-2008
[eluser]louis w[/eluser]
Thanks xwero, glad i stumbled upon this.
[quote author="xwero" date="1208470257"]It's always best to keep as much memory free as possible. If you rely too much on the garbage collector you will get memory exhausted errors faster.[/quote]
Secure File Upload - El Forum - 04-17-2008
[eluser]xwero[/eluser]
For all clarity the imagedestroy function is because of the imagecreatefromX functions not because of the uploading of the images. That data is stored in a temporary directory until you move the file or when the limit of the directory is exceeded.