1

PHP:

Any ideas where I could find a script similar to what stackoverflow uses? Or would it be easy to make something like that myself? I'm sure downloading the image is not a problem, but I'm more worried about security. I'm building an user avatar upload/remote upload system.

Jquery:

The reason I added jquery to the tags, perhaps it is possible to let the user point the URL of the image and somehow upload it via the normal file upload input himself (without having to manually download the image to the computer first)

domino
  • 7,271
  • 12
  • 36
  • 48
  • ??? What exactly are your challenges ??? – Baba May 12 '12 at 22:05
  • Possible duplicate of [Fetching a file on a server, resizing with PHP GD2, security considerations](http://stackoverflow.com/questions/8606951/fetching-a-file-on-a-server-resizing-with-php-gd2-security-considerations) – hakre May 13 '12 at 17:02

1 Answers1

2

You can use cURL to download the image and then use getimagesize() to check whether it's actually an image - for security purposes.

<?php
$limit = 1024*1024*10 // Max. file size in bytes (1024*1024*10 = 10MB)
$ch = curl_init();

$fh = fopen('image.jpg', 'w'); 

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FILE, $fh);
curl_setopt($ch, CURLOPT_RANGE, '0-' . $limit);

curl_exec($ch);

curl_close($ch);

if ($image = getimagesize ("image.jpg")) { 
     // It's an image
}
else { 
     // Not an image; delete!
}
Jeroen
  • 13,056
  • 4
  • 42
  • 63
  • Dangerous - you've not set any limits on how much data to fetch, so a hostile user can put in a link that leads to a multi-terabyte download. curl supports streaming a download to file, plus fetch limits – Marc B May 12 '12 at 23:05
  • Thanks, I can actually point this to my local upload script and not code duplicate verification scripts. – domino May 13 '12 at 09:33
  • Could you explain a bit further though? Say $url is the url sent by the user. In your example I would just have to replace image.jpg with the $url? The reason I'm asking is because URLOPT_URL also seems to contain a variable. – domino May 13 '12 at 09:40
  • No, $url is the image the user provides and image.jpg is the file youre saving to – Jeroen May 13 '12 at 10:05