0

I have a upload image function on my web app, I tried to upload a php file with a code like this <script>alert('XSS')</script> the file is hack.php.jpg then, I upload it and it is uploaded, my fear of this is that, will the script will run and return something to the malicious user or it will ignore the script inside of the .jpg ? Here are the list of function of my upload image:

1) It will rename the image then will be saved on the folder.

2) only accepted extensions are jpg, png, jpeg .

3) file size < 1000000.

4) uniqid() used for renaming the name of the img.

5) I use unlink() and move_upload_file() for saving the img and deleting the img on the folder.

6) my <form> enctype is multipart/form-data and accept="image/*".

I learned my code in codecourse php upload file video.

phew
  • 147
  • 2
  • 10

1 Answers1

0

How do you parse the extension of the file? Ideally, you completely rename the file. For example to "randomhash.jpeg/jpg/png". That way it is impossible for it to ever contain the ".php" extension.

Another thing you can do is disable PHP code execution (in nginx or Apache) in the folder where you store your images.

You can also additionally make use of the functions getimagesize and exif_imagetype to check for it being a valid image. Just keep in mind that those functions are not foolproof.

Technidev
  • 96
  • 1
  • 4
  • thank you, any recommended tutorials for disabling php code execution (APACHE) ? – phew Jun 14 '16 at 02:21
  • @phew Refer to http://stackoverflow.com/a/1272068/6275228 or http://webmasters.stackexchange.com/questions/74668/apache-disable-php-in-a-directory. – Technidev Jun 14 '16 at 02:25
  • i have additonal question, my photos is too big, `1MB` atleast, I want below 500 or 400 KB only. Because the loading is too slow – phew Jun 14 '16 at 02:26