Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Regular Coder
    Join Date
    Dec 2010
    Location
    Kent, UK
    Posts
    573
    Thanks
    23
    Thanked 10 Times in 10 Posts

    how to verify images are authentic and safe before displaying them

    hi guys, as the title asks, i just wanted to know how to verify images are authentic and safe before displaying them in php as ive seen it on a few sites.

    if its not done in php please guide me to how it is done.

    thanks
    Last edited by Dan13071992; 01-17-2012 at 07:31 PM.
    http://360-tactics.co.uk/forum/index.php

    Crime-Wave

    please post your code wrapped in tags
    please post your PHP wrapped in tags

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,366
    Thanks
    61
    Thanked 530 Times in 517 Posts
    Seen what on a few sites? - Re-read that.. it is clear that YOU know what you're getting at but the way you describe it is as clear as mud!

    I'm thinking...
    Check the file extensions / mime types - if whitelisted then accept the file.

    With regards to php image hacking, open the file using file_get_contents(), str_replace <? with [? and ?> with ?] and any php included in the file will then not run.

    Those are the first two that come to me.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #3
    Regular Coder
    Join Date
    Dec 2010
    Location
    Kent, UK
    Posts
    573
    Thanks
    23
    Thanked 10 Times in 10 Posts
    sorry, basically, before loading an image, the script checks that the image is safe to display, in the sense that it isnt batched with anything, and that it wont auto redirect anyone to another site inorder to get their session
    http://360-tactics.co.uk/forum/index.php

    Crime-Wave

    please post your code wrapped in tags
    please post your PHP wrapped in tags

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,366
    Thanks
    61
    Thanked 530 Times in 517 Posts
    Right so you're wanting to check for it running php code internally then right?

    Well as mentioned, search for and replace any php tags inside the file and then save it back to the file with file_put_contents().

    That way even if it does have php code it simply won't run.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Open the image up and read the first four bytes out of it. This should tell you what kind of file it is, and use this data to match up the image type.
    Beyond this, there is little (nothing?) you can do to catch op code issues. The threat really isn't PHP in this regard; if you are using PHP to serve the image, then it will treat the output as an image. Make sure the image is located above the site root to prevent direct access to execute it in case its not an image at all.

  • #6
    Regular Coder
    Join Date
    Dec 2010
    Location
    Kent, UK
    Posts
    573
    Thanks
    23
    Thanked 10 Times in 10 Posts
    ok thanks for your help.

    ill start looking into it all and coding it.

    thanks once again TF.
    http://360-tactics.co.uk/forum/index.php

    Crime-Wave

    please post your code wrapped in tags
    please post your PHP wrapped in tags


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •