Home page logo

bugtraq logo Bugtraq mailing list archives

Re: The Dangers of Allowing Users to Post Images
From: Ben Gollmer <ben () jatosoft com>
Date: Thu, 14 Jun 2001 17:39:31 -0500

This is not a big deal if you use some validation on images (in PHP at least).

Try the function getImageSize(); it will return an array containing the size of the image, as well as the format. If the file specified is not a GIF, JPEG, PNG, or SWF, getImageSize() returns null.

This is also beneficial if you don't want users posting huge images to your forum. In this code, the image must be 800x600 or less.

        //quick sample code follows
        //$imagePath is the URL provided; doesn't matter if its via GET or POST

        $imageInfo = getImageSize($imagePath);
                print("Sorry, image cannot be opened or is not a valid image type.");
        elseif($imageInfo[0] >= 800 || $imageInfo[1] >= 600)
                print("Sorry, image too big");

        //and so on

More info here: http://www.php.net/manual/en/function.getimagesize.php

Ben Gollmer
Jatosoft, LLC

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]