Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
 
Python and Tcl - public course schedule [here]
Private courses on your site - see [here]
Please ask about maintenance training for Perl, PHP, Lua, etc
 
Using PHP to upload images / Store on MySQL database - security questions

Yesterday, the page on our website that shows you how to upload an image from a browser in a PHP script, store the image in a database, and later on retreive and redisplay the image, was visited 250 times. Not bad for such a specific subjec t on what I'll admit is something of an obscure web site.

One of our 250 visitors wrote to me - an excellent question - concerning security issues with such uploaded images - "How do you secure such uploads? I mean, i changed the extension of a .exe file as .png and uploaded without any issues. I do realize that the image will not be displayed. But in theory the file is still located in the filesystem. Wouldn't this mean someone can upload a trojan or infected file and mess up the entire server?"

He's 100% right to think carefully about the validity / checking of what can be uploaded through scripts such as this. Yes, they can be used for ANY "blob" of data - any bit patterns at all, including all sorts of nasties. That's not just limited to trojans and infected files as you suggest, but also includes copyrighted images, pornographic pictures, and images of text which makes illegal statements / claims. And I'm sure you could find other things too.

But if the data is held in the database AND ONLY RECALLED / USED AS AN IMAGE, then it is not messing up the whole server - it's not being run in any way. If the .jpg standard allowed for the embedded execution of code that it would be a problem as you suggest, but to my knowledge that's not going to be the case. If my server script that recalled the file said "if it looks like an executable, go run it" that would be a problem ... but it does not. All it does is sends out the image, labelled as a .jpg, to a browser.

The uploading of images that should not be uploaded (copyright, etc,) is a more difficult matter to answer. And it's really the same question that anyone who has a web presence onto which public data uploads is accepted has to be aware of and think through. In the case of our demonstration, we have many people trying out the scripts and so any image which really should not be there quickly sinks into the obscure depths and is no longer accessible, so the system is in effect self-cleansing. For a live web site where the purpose is publication, you need to look at other measures such as having moderator presence, an acceptable user policy, a way of reporting abuse, perhaps an automated spam trap, and more.

More links:
Try out the upload script
View recent uploads
Source code listing
(written 2007-10-19)

 
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
G912 - Well House Consultants - Photography for the Web
  [3402] That spec is a kingfisher ... - (2011-08-21)
  [3170] How far is something pictured from the camera? - (2011-02-15)
  [3104] Catering in Syracuse, the Saigon Cafe, stolen images and Christmas - (2010-12-25)
  [2884] Hotlinked images onto adult material sites - (2010-07-23)
  [2592] Re-using our pictures - (2010-01-21)
  [2252] Leaping dog, Leaping horse, copyright of old masters - (2009-06-20)
  [2224] Trowbridge - a missed opportunity? Melksham - into the breach? - (2009-06-08)
  [1895] Comparison - with and without flash - (2008-11-20)
  [1732] Old pictures and comparisons - (2008-08-01)
  [1568] What colour is the season? - (2008-03-08)
  [1506] Ongoing Image Copyright Issues, PHP and MySQL solutions - (2008-01-14)
  [1194] Drawing hands on a clock face - PHP - (2007-05-19)
  [1188] What shape is your shake? - (2007-05-15)
  [1185] Themes for the web site - (2007-05-13)
  [1114] PHP Image upload script - (2007-03-21)
  [1087] Telling a story in different ways - (2007-02-20)
  [937] Display an image from a MySQL database in a web page via PHP - (2006-11-22)
  [819] My projector has a photo-id - (2006-07-31)
  [665] PHP Image viewing application - (2006-04-01)
  [563] Merging pictures using PHP and GD - (2006-01-13)
  [553] Keep that image small - (2006-01-03)
  [546] The relevance of the hairy woodpecker - (2005-12-28)
  [194] Published Photographer - (2005-01-30)
  [97] What makes a professional photographer? - (2004-10-23)

H117 - Security in PHP
  [4642] A small teaching program - demonstration of principles only - (2016-02-08)
  [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2628] An example of an injection attack using Javascript - (2010-02-08)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [1747] Who is watching you? - (2008-08-10)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [947] What is an SQL injection attack? - (2006-11-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [426] Robust checking of data entered by users - (2005-08-27)
  [345] Spotting a denial of service attack - (2005-06-12)


Back to
Dont just convert to Perl - re-engineer!
Previous and next
or
Horse's mouth home
Forward to
Perl - progress bar, supressing ^C and coping with huge data flows
Some other Articles
Dark Dawn
Pictures Framed
Someone else's wedding
Perl - progress bar, supressing ^C and coping with huge data flows
Using PHP to upload images / Store on MySQL database - security questions
Dont just convert to Perl - re-engineer!
Business to Business Networking - North and West Wilts / Melksham
First Alternative / what has happened there?
Autumnal lighting on a London trip
Ordnance Survey Grid Reference to Latitude / Longitude
4759 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2019: 404 The Spa • Melksham, Wiltshire • United Kingdom • SN12 6QL
PH: 01225 708225 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/1396_Usi ... tions.html • PAGE BUILT: Sat May 27 16:49:10 2017 • BUILD SYSTEM: WomanWithCat