Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
 
For 2023 (and 2024 ...) - we are now fully retired from IT training.
We have made many, many friends over 25 years of teaching about Python, Tcl, Perl, PHP, Lua, Java, C and C++ - and MySQL, Linux and Solaris/SunOS too. Our training notes are now very much out of date, but due to upward compatability most of our examples remain operational and even relevant ad you are welcome to make us if them "as seen" and at your own risk.

Lisa and I (Graham) now live in what was our training centre in Melksham - happy to meet with former delegates here - but do check ahead before coming round. We are far from inactive - rather, enjoying the times that we are retired but still healthy enough in mind and body to be active!

I am also active in many other area and still look after a lot of web sites - you can find an index ((here))
Using PHP to upload images / Store on MySQL database - security questions

Yesterday, the page on our website that shows you how to upload an image from a browser in a PHP script, store the image in a database, and later on retreive and redisplay the image, was visited 250 times. Not bad for such a specific subjec t on what I'll admit is something of an obscure web site.

One of our 250 visitors wrote to me - an excellent question - concerning security issues with such uploaded images - "How do you secure such uploads? I mean, i changed the extension of a .exe file as .png and uploaded without any issues. I do realize that the image will not be displayed. But in theory the file is still located in the filesystem. Wouldn't this mean someone can upload a trojan or infected file and mess up the entire server?"

He's 100% right to think carefully about the validity / checking of what can be uploaded through scripts such as this. Yes, they can be used for ANY "blob" of data - any bit patterns at all, including all sorts of nasties. That's not just limited to trojans and infected files as you suggest, but also includes copyrighted images, pornographic pictures, and images of text which makes illegal statements / claims. And I'm sure you could find other things too.

But if the data is held in the database AND ONLY RECALLED / USED AS AN IMAGE, then it is not messing up the whole server - it's not being run in any way. If the .jpg standard allowed for the embedded execution of code that it would be a problem as you suggest, but to my knowledge that's not going to be the case. If my server script that recalled the file said "if it looks like an executable, go run it" that would be a problem ... but it does not. All it does is sends out the image, labelled as a .jpg, to a browser.

The uploading of images that should not be uploaded (copyright, etc,) is a more difficult matter to answer. And it's really the same question that anyone who has a web presence onto which public data uploads is accepted has to be aware of and think through. In the case of our demonstration, we have many people trying out the scripts and so any image which really should not be there quickly sinks into the obscure depths and is no longer accessible, so the system is in effect self-cleansing. For a live web site where the purpose is publication, you need to look at other measures such as having moderator presence, an acceptable user policy, a way of reporting abuse, perhaps an automated spam trap, and more.

More links:
Try out the upload script
View recent uploads
Source code listing
(written 2007-10-19)

 
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H117 - Security in PHP
  [345] Spotting a denial of service attack - (2005-06-12)
  [426] Robust checking of data entered by users - (2005-08-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [947] What is an SQL injection attack? - (2006-11-27)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1747] Who is watching you? - (2008-08-10)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [2628] An example of an injection attack using Javascript - (2010-02-08)
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
  [4642] A small teaching program - demonstration of principles only - (2016-02-08)

G912 - Well House Consultants - Photography for the Web
  [97] What makes a professional photographer? - (2004-10-23)
  [194] Published Photographer - (2005-01-30)
  [546] The relevance of the hairy woodpecker - (2005-12-28)
  [553] Keep that image small - (2006-01-03)
  [563] Merging pictures using PHP and GD - (2006-01-13)
  [665] PHP Image viewing application - (2006-04-01)
  [819] My projector has a photo-id - (2006-07-31)
  [937] Display an image from a MySQL database in a web page via PHP - (2006-11-22)
  [1087] Telling a story in different ways - (2007-02-20)
  [1114] PHP Image upload script - (2007-03-21)
  [1185] Themes for the web site - (2007-05-13)
  [1188] What shape is your shake? - (2007-05-15)
  [1194] Drawing hands on a clock face - PHP - (2007-05-19)
  [1506] Ongoing Image Copyright Issues, PHP and MySQL solutions - (2008-01-14)
  [1568] What colour is the season? - (2008-03-08)
  [1732] Old pictures and comparisons - (2008-08-01)
  [1895] Comparison - with and without flash - (2008-11-20)
  [2224] Trowbridge - a missed opportunity? Melksham - into the breach? - (2009-06-08)
  [2252] Leaping dog, Leaping horse, copyright of old masters - (2009-06-20)
  [2592] Re-using our pictures - (2010-01-21)
  [2884] Hotlinked images onto adult material sites - (2010-07-23)
  [3104] Catering in Syracuse, the Saigon Cafe, stolen images and Christmas - (2010-12-25)
  [3170] How far is something pictured from the camera? - (2011-02-15)
  [3402] That spec is a kingfisher ... - (2011-08-21)


Back to
Dont just convert to Perl - re-engineer!
Previous and next
or
Horse's mouth home
Forward to
Perl - progress bar, supressing ^C and coping with huge data flows
Some other Articles
Dark Dawn
Pictures Framed
Someone else's wedding
Perl - progress bar, supressing ^C and coping with huge data flows
Using PHP to upload images / Store on MySQL database - security questions
Dont just convert to Perl - re-engineer!
Business to Business Networking - North and West Wilts / Melksham
First Alternative / what has happened there?
Autumnal lighting on a London trip
Ordnance Survey Grid Reference to Latitude / Longitude
4759 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2024: 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/1396_Usi ... tions.html • PAGE BUILT: Sun Oct 11 16:07:41 2020 • BUILD SYSTEM: JelliaJamb