Menu
There is a part of my website that allows users to upload profile photos. I'm worried about people uploading malicious code. I'm planning on limiting the the file types to .jpg/.png/.gif/.jpeg
I'm worried that it won't be enough. I'm going to be resize thing images on the server. Would the process of resizing the photos be enough to ensure that the image is actually an image not malicious files?
I'll be using the following to resize the photos. I won't be storing the originals on the server and the files names will be changed.
imagecopyresampled($thumb, $source, 0, 0, 0, 0, $newwidth, $newheight, $width, $height);
imagejpeg($thumb, $fullpath, 90);
418
Cybercriminals can quickly embed malicious content in a photograph and send that image out across the web. The simplest way of embedding malware is to add it to the image overlay (image end). All this requires is taking an image file and adding malicious content.
How Can An Image Carry Viruses? Theoretically, an image can't contain a virus since PNG, JPG, and WEBP files can only contain graphical data, not executable codes. However, an advanced malware programmer can exploit different techniques to infect your PC through an image file.
Viruses, malware, or ransomware can be downloaded to your machine through video and photo files, but they need access (your permission) and opportunity (a vulnerability in the program).
A virus can store information in an image, and can exploit a vulnerability in an image-viewing program. It can not "infect" an image, so much as maliciously alter an image such that the program that is likely to open it will be subverted and trigger an exploit in that process.
Simply doing this will ensure you're working on an image :
if (getimagesize($sourcePath) === false)
{
die("Not an image !");
}
For more safety you should disable PHP execution in the upload folder. In .htaccess:
php_value engine off
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
