PHP Validate base64 encoded images

Question

I need to find a way to validate an image that is base64 encoded in PHP.

By validate i'm thinking of XSS and other security things like that.

The flow is:

User has some parameters where one og more in a base64 encode string of an image and post them to my site. When i receive the parameter fx called img1 with the base64 encoded image string as value.

I would then like to make sure that this base64 encoded string only consist of the image and doest not have any tags and any other things hackers will try to use.

Does anyone know any PHP functions or plugins that can help me?

It does not really matter what the image contains, it matters what you do with it. If you treat something that should be an image as an image and as an image only, there should be no chance for anybody to inject HTML tags. Because why are you evaluating an image as HTML? As such, we need more context to answer this properly. — deceze, Sep 03 '12 at 13:59
I would only take the base64 encoded string and put it in a image tag. But security is very importent thing in the system i'm building so i just need to be sure that something like XSS cant be used in base64 encoded images :) — Anders Gerner, Sep 06 '12 at 10:14
What's your data source, and why is it base64-encoded to begin with? How do you output it, as `src="data:image/jpeg;base64,`, or decoding it and saving the data into an actual image? — Markus AO, Jul 14 '20 at 19:28

Karol Gasienica · Answer 1 · 2020-07-15T06:42:33.543

You can validate file type with code below:

$file = 'Your base64 file string';
$file_data = base64_decode($file);
$f = finfo_open();
$mime_type = finfo_buffer($f, $file_data, FILEINFO_MIME_TYPE);
$file_type = explode('/', $mime_type)[0];
$extension = explode('/', $mime_type)[1];

echo $mime_type; // will output mimetype, f.ex. image/jpeg
echo $file_type; // will output file type, f.ex. image
echo $extension; // will output extension, f.ex. jpeg

$acceptable_mimetypes = [
    'application/pdf',
    'image/jpeg',
];

// you can write any validator below, you can check a full mime type or just an extension or file type
if (!in_array($mime_type, $acceptable_mimetypes)) {
    throw new \Exception('File mime type not acceptable');
}

// or example of checking just a type
if ($file_type !== 'image') {
    throw new \Exception('File is not an image');
}

Under $mime_type you will get something like application/pdf or image/jpeg.

Under $file_type you will get a file type f.ex. image.

Under $extension you will get an extension.

With finfo_buffer you can use a few predefined constants, which may give you more informations.

With those informations you can simply validate if it's image or pdf or any other things you want to check. All the available mimetypes you can check in this page.

Manual

PHP: finfo_open

PHP: finfo_buffer

PHP: finfo_buffer - Predefined Constants

base64_decode

MIME types (IANA media types)

zaf · Answer 2 · 2012-09-06T06:48:07.383

4

You can try to create the image from the string using the imagecreatefromstring function.

You can then test for image dimensions/type.

If you want to go one further step you can create a new image and then attempt to copy the user image onto it and use this as the final image. Since the final image was initially created by you there is a very slim chance any hacker could get thru.

edited Sep 06 '12 at 06:48

answered Sep 03 '12 at 13:58

zaf

22,776
12
65
95

score 0 · Answer 3 · answered Sep 06 '12 at 10:17

I would only take the base64 encoded string and put it in a image tag. But security is very importent thing in the system i'm building so i just need to be sure that something like XSS cant be used in base64 encoded images :)

Then you do this as with any other user input: you htmlspecialchars-encode the user provided text before putting it in your HTML to preserve the integrity of your HTML. Base64 image strings are no exception. See The Great Escapism (Or: What You Need To Know To Work With Text Within Text).

Of course, a blob of image data may open you up to entirely different attack vectors through vulnerable image parsers. So you may want to decode that image string into an image resource first and save it again using gd or Imagick functions, i.e. opening and re-saving/re-encoding the image.

score 0 · Answer 4 · answered Oct 09 '16 at 10:00

0

Try this library

https://github.com/imaimai86/Intervention-Base64Image

It uses Intervention image library to validate base64 encoded images

answered Oct 09 '16 at 10:00

Ima

1,111
12
22

score 0 · Answer 5 · answered Oct 21 '17 at 12:54

0

$str = 'your  base64 code' ;

if (base64_encode(base64_decode($str, true)) === $str && imagecreatefromstring(base64_decode($img))) {
echo 'Success! The String entered match base64_decode and is Image';
}

answered Oct 21 '17 at 12:54

Mahdi Bashirpour

17,147
12
117
144

This answer is missing its educational explanation. – mickmackusa Jan 20 '22 at 11:27

PHP Validate base64 encoded images

5 Answers5

Linked

Related