File upload security
- From: Geoff Berrow <blthecat@xxxxxxxxxxx>
- Date: Wed, 27 Jul 2005 14:52:44 +0100
I've written a script which takes a couple of user image files and uses
them to create a watermarked image.
http://www.ckdog.co.uk/watermark.php
I'm checking the images like so:
if(!empty($_FILES['pattern']['tmp_name']) ){
if(is_uploaded_file($_FILES['pattern']['tmp_name'])){
if(
!$patternsize=getimagesize($_FILES['pattern']['tmp_name'])){
header('Location: watermark.php?nosize=2');
exit;
}
$patt=$_FILES['pattern']['tmp_name'];
}
}
It has been suggested to me that this is still insecure as people could
use 'character substitution hacks' to upload files to the tmp directory.
Comments?
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
.
- Follow-Ups:
- Re: File upload security
- From: Justin Koivisto
- Re: File upload security
- Prev by Date: Re: Gosub
- Next by Date: Re: Show countdown from 10 to 0 seconds
- Previous by thread: virctual sampling through php/flash
- Next by thread: Re: File upload security
- Index(es):
