1

Laravel basically have following below functions for input type file.

// Determine if a file was uploaded
 Input::hasFile('filename');
// Access file properties
 Input::file('name')->getRealPath();
Input::file('name')->getClientOriginalName();
Input::file('name')->getClientOriginalExtension();
Input::file('name')->getSize();
Input::file('name')->getMimeType();

If i use getClientOriginalExtension to find correct image extension, getSize to restrict file upload size & getMimeType to check the mimetype of image.

Am i secured ? And can have faith on function that , it will not be exploited by hacker in any way.

Considering a fact, that i will be only uploading image.

Update : Follow below URL for File Uploading Securely with Core PHP :

http://php.w3clan.com/tutorial/47/form-handling-secure-uploading

or Just use file validation in rule as per Laravel

$rule = [ 'name' => 'image' ];

Improve this question
5
  • You can use the image validator rule aswell. $rules = [ 'file' => 'image' ] Commented Dec 25, 2014 at 10:09
  • Yes, Will all those above makes it completely secure enough ? Commented Dec 25, 2014 at 10:23
  • Check my answer here: stackoverflow.com/questions/27635207/php-fileupload-type-check/… Commented Dec 25, 2014 at 10:29
  • If you only intend to upload images, you don't need getMimeType to check for the mime type as far as I'm aware since the image rule in the validator checks for mime types image/png, image/jpeg, image/gif and others. If you further want to whitelist to for example only jpg and png, you can check for the extension aswell. Although only checking for the extension can let people upload any file they wish if they change the extension. I could upload an executable which is named definitely-not-an-exe-file.png and still be able to upload it. Commented Dec 25, 2014 at 10:32
  • You could try security check by the combination of getClientMimeType() and getClientOriginalExtension() Commented Feb 26, 2015 at 6:41

1 Answer 1

Reset to default
7

Seems pretty secure to me.

If you only intend to upload images, you can do this:

$rules [
    ...
    'file' => 'required|image' // Assuming it's required, otherwise leave that out
]

See the image validation rule

If you want to further restrict which extensions are allowed, you can specify an array with the extensions you allow, and then check Input::file('file')->getClientOriginalExtension() against it. Although this can be spoofed, so it's better to specify which mime types are allowed instead.

If you for example only want to allow .png and .gif files, you use:

$allowedMimes = [
    'image/gif',
    'image/png'
];

And then check using ->getMimeType()

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

u can add '|mime:png,gif' to the validation rules laravel.com/docs/4.2/validation#rule-mimes ,but note the mime-type differs from a browser to another specially (IE & FF)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.