Dear All,
After seeing so many questions on how we can do secure uploading of images on the server, i am gonna post a theory of how to do this effectively.
Very first method which is basic uploading:
We just browse an image from our local machine and upload them as following. This method is called a naive method.
<code><?php
if (!empty($_FILES['yourFileName']['name']))
{
// To upload the Image.
$name = $_FILES['yourFileName']['name'];
$type = $_FILES['yourFileName']['type'];
$size = $_FILES['yourFileName']['size'];
$source = $_FILES['yourFileName']['tmp_name'];
$destination = “images/”.$name;
move_uploaded_file($source, $destination);
}
?>
</code>
This uploading is done through a normal html form tag
<code>
<form action=”" method=”post” enctype=”multipart/form-data”>
<input type=’file’ name=’yourFileName’ />
<input type=’submit’ value=’Upload’ />
</form>
</code>
Unfortunately this has several flaws-
1 – It can easily be guessed that where are to putting your files and so anybody can upload any PHP script or any executable file and get your server down.
2 – For an example somebody can upload a file which enables shell commands on your machine as following
and can do anything with your server.
So this way is never suggested.
A simple solution at the first site seems to check for the file type being uploaded. so putting a simple script
if($_FILES['yourFileName']['type'] != ‘image/jpg’)
{
//Error
}
Can make your script secure a bit but unfortunately it also has some flaws. I will explain that in my next blog.
