Hi,
Could anyone help me with an image upload script that users can upload images and then they can be viewed in a main page etc. Im not sure if php is the right method to move but i think it is.
CSS Codes
Junior Coders
An image upload site
Hi,
Could anyone help me with an image upload script that users can upload images and then they can be viewed in a main page etc. Im not sure if php is the right method to move but i think it is.
Global Moderator
http://php-mysql-tutorial.com
http://www.php.net/manual/en/features.file-upload.php
Those two should be what you need. It's a complex project, but that will do what you need.
Additionally, the GD library (a set of functions) in PHP will allow image manipulation if needed, such as resizing, etc.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
Junior Coders
Heres what I think about image uploading with PHP. Its easy to implement, but the hard part is keeping it secure. I once had an image upload script, 4 weeks down the line there was some mysterious PHP files placed there.
Global Moderator
That's a good point. If you are careful with creating the right security, that should be preventable, though.
But do look into possible security holes.
Most importantly, before saving anything to your site (uploaded files in a temp location that isn't available to anyone for use until you 'move' it to the final place), you should be sure to verify both the file extension and that it is, indeed, the right type of content. Using getimagesize() will be the easiest way to check if a variable (the file will be stored as one) is actually a valid image.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
Junior Coders
getimagesize() is good for that, I would also implement a few other security practices here. Checking the extension is useless, since that could be spoofed easy enough, also checking the $_FILES['type'] is useless, since that is sent from the browser and spoofed as well.
What I would recommend (depending if you have php4 or php5) is use the dev-php4/pecl-fileinfo or dev-php5/pecl-fileinfo. With this you could do a server-side check on the file MIME type while it's in /tmp before moving it to its location in the end.
I would also recommend moving the file into a database as a BLOB or move the physical file above the webroot. That way a bad guy couldn't browse right to it with his browser and execute a PHP file he was able to get it on the server. You would then fopen the file and change the header() to display the image.
These are all complicated processes, but allowing uploads to the public is a risky venture. One of the first steps of any hack is to get malicious payload to the server and execute it. From there.. it's game over. So keep security in mind when developing and take your time doing your research.
hanji
Junior Coders
Another way to verify image is using the exif functions. This will need to be compiled into your PHP build, but might already be there (view phpinfo() to see).
This is part of a 'checker' function I have to validate image using exif. Do you have access to the server? There are many serverside features that could help lock down unwanted script uploads (ie: mod_security, suhosin hardened php patch, etc)PHP Code:$imgTypeConstants = array(
IMAGETYPE_GIF,
IMAGETYPE_JPEG,
IMAGETYPE_PNG,
IMAGETYPE_BMP,
IMAGETYPE_TIFF_II,
IMAGETYPE_TIFF_MM);
if($checkImage && function_exists('exif_imagetype')){
foreach($imgTypeConstants as $constantVal){
if(exif_imagetype($_FILES[$fieldName]['tmp_name']) == $constantVal){
$IMAGE_type_check = true;
break;
}
}
$MIME_type_pass = ($IMAGE_type_check ? true : false);
}
hanji
Posting Permissions
Reply With Quote
Bookmarks