I have created a Site. On this Site have the ability to upload pictures. I read a php article that attacker can insert PHP code in the middle of a GIF image then upload this "evil" image on the Site, then the site may be open for security exploits Can any friends can give an idea to resist this type of attack ..
Add a comment
|
3 Answers
This link explains how this can be done in pretty good detail:
The thing that I'd say is most important in that article is not including or requiring uploaded files. If you are uploading pictures, for instance, you may well be able to get the functionality desired by just displaying them in html rather than including them in your script. This will prevent any malicious code that's inside them from ever being executed.
If you're looking for more information with securing file uploads in general, this article is also good: http://shiflett.org/articles/file-uploads
The author also has a book on PHP security which is very useful as well.
This question on SO is also useful: https://stackoverflow.com/a/4167797/1324019
EDIT: Sorry to keep adding links, but I keep finding useful articles: http://nullcandy.com/php-image-upload-security-how-not-to-do-it/
Comments
You have to trace the full name of file.
But be carefull:
For example someone can create a file like this foo.jpg.asp or php or exe or what ever.
Use regular expressions to match it correctly.
