Reply to Re: Image upload php script.

Your name:

Reply:


Posted by Anze on 06/18/07 19:03

Just an info - I have had problems with using GetImageSize on large files
(videos). It was sloooooow (~1s per call). So do be careful.

Do you care if the file is really an image or it contains some other data
too? There is no way to prevent embedding the data in an image against a
skillful hacker.

It is however important that the extension is correct (or someone could
upload for instance .php file and then execute it) and that you can create
a thumbnail from it (getImageFromXXX) if you need to.

Best,

Anze

Kenoli wrote:

> This link says a bit more about this function:
>
> http://www.phpfreaks.com/phpmanual/page/function.getimagesize.html
>
> This seems to be the key (from that page):
>
> "If accessing the filename image is impossible, or if it isn't a valid
> picture, getimagesize() will return FALSE and generate an error of
> level E_WARNING."
>
> --Kenoli
>
> On Jun 11, 8:46 am, Schraalhans Keukenmeester
> <Schraalh...@the.spamtrapexample.nl> wrote:
>> At Mon, 11 Jun 2007 11:02:56 +0200, iktorn let h(is|er) monkeys type:
>>
>> > Schraalhans Keukenmeester wrote:
>> >> You'll have to test for extension first, and then assert what's sent
>> >> actually is what it claims to be. A safe way would be to apply the
>> >> appropriate imagecreatefrom(jpg|gif|bmp|png) etc functions provided by
>> >> the gd library.
>>
>> > Much better way imho is to use getimagesize
>> > (http://pl2.php.net/manual/en/function.getimagesize.php)
>> > to check if its a valid image file.
>>
>> > Additionally you can check extension of uploaded file.
>>
>> I haven't been able to test if the getimagesize() function can be fooled
>> easily. If not, it's probably quicker than using imagecreatefromFORMAT()
>> and therefor a better choice indeed. Great suggestion, it's the PHP
>> manual suggested way of checking for valid images I noticed. It doesn't
>> give much explanation though.
>>
>> --
>> Schraalhans Keukenmeester - schraalh...@the.Spamtrapexample.nl
>> [Remove the lowercase part of Spamtrap to send me a message]
>>
>> "strcmp('apples','oranges') < 0"

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация