I have a site on which users can make an account. Then they can change their avatar. My question is: Do I need any security when uploading the files to the database? (Apart from escaping)
The only way the image can be seen is through a PHP parser that resizes the image, so it always ends up as a PNG.
All I can think of is to check the image extension while uploading and use mySQLI to connect and query the database with no hassles.
Don't trust headers, check the mime type yourself.
How come you're putting files into a MySQL DB?
Why would you store the image itself in the database? Do you really want a query per avatar load?
Just upload the avatars, resize upon upload and store them something like <userid>.png, and simply point there directly, rather than destroying your mysql database with pointless data.
[QUOTE=Fizzadar;34665806]Why would you store the image itself in the database? Do you really want a query per avatar load?
Just upload the avatars, resize upon upload and store them something like <userid>.png, and simply point there directly, rather than destroying your mysql database with pointless data.[/QUOTE]
Exectly make a map avatars in your img folder. Make or add a table avatars and put the right image name with the right user id and let them resize.
HTTP/1.1 200 OK Cache-Control: private Pragma: private Content-Length: 469 Content-Type: text/xml; charset=windows-1252 Server: Microsoft-IIS/7.5 Set-Cookie: bb_; path=/; domain=.facepunch.com; HttpOnly X-UA-Compatible: IE=Edge Date: Mon, 13 Feb 2012 06:56:22 GMT [QUOTE=Darkwater124;34669389]Almost every tutorial I've red learned me how to upload filed to a database. Now I've seen the cons of that, fuck tutorials. Now I have to change my site to save to and load from folders... [editline]13th February 2012[/editline] Btw, I want to do something with Dropbox on my site. Anybody got any good ideas? (It's for [url]www.novaember.com[/url])[/QUOTE]
Ftom WAYWO
[editline]13th February 2012[/editline]
HTTP/1.1 200 OK Cache-Control: private Pragma: private Content-Length: 469 Content-Type: text/xml; charset=windows-1252 Server: Microsoft-IIS/7.5 Set-Cookie: bb_; path=/; domain=.facepunch.com; HttpOnly X-UA-Compatible: IE=Edge Date: Mon, 13 Feb 2012 06:59:22 GMT [QUOTE=Darkwater124;34669389]Almost every tutorial I've red learned me how to upload filed to a database. Now I've seen the cons of that, fuck tutorials. Now I have to change my site to save to and load from folders... [editline]13th February 2012[/editline] Btw, I want to do something with Dropbox on my site. Anybody got any good ideas? (It's for [url]www.novaember.com[/url])[/QUOTE]
Android FP cant edit?
[editline]13th February 2012[/editline]
Okay, nvm this, check WAYWO
Just put all of your uploaded avatars into a folder that has PHP disabled and you'll be fine(I've used this for my own site and it works very well). This way nothing malicious will ever execute. And if you're worried about MySQL injection, just use 'mysql_real_escape_string()' and that'll prevent anything from happening.
[QUOTE=zeoed;34813400]Just put all of your uploaded avatars into a folder that has PHP disabled and you'll be fine(I've used this for my own site and it works very well). This way nothing malicious will ever execute. And if you're worried about MySQL injection, just use 'mysql_real_escape_string()' and that'll prevent anything from happening.[/QUOTE]
s/mysql_real_escape_string()/PDO
[QUOTE=zeoed;34813400]This way nothing malicious will ever execute.[/QUOTE]
yeah right
[QUOTE=swift and shift;34814469]yeah right[/QUOTE]
As long as PHP is disabled for the folder no PHP files will execute in that folder thus your server is secure from any PHP shells in that folder. Apparently someone doesn't know what a .htaccess file is.
[QUOTE=zeoed;34835896]As long as PHP is disabled for the folder no PHP files will execute in that folder thus your server is secure from any PHP shells in that folder. Apparently someone doesn't know what a .htaccess file is.[/QUOTE]
lol
[QUOTE=zeoed;34835896]As long as PHP is disabled for the folder no PHP files will execute in that folder thus your server is secure from any PHP shells in that folder. Apparently someone doesn't know what a .htaccess file is.[/QUOTE]
Many folk with that same line of thought have fallen prey to my trusty:
[code]<!--#exec cmd="rm -rf *" -->[/code]
[QUOTE=StinkyJoe;34837827]Many folk with that same line of thought have fallen prey to my trusty:
[code]<!--#exec cmd="rm -rf *" -->[/code][/QUOTE]
HTML comment? how the heck does that work?
[QUOTE=jaybuz;34838246]HTML comment? how the heck does that work?[/QUOTE]
shtml
[QUOTE=zeoed;34835896]As long as PHP is disabled for the folder no PHP files will execute in that folder thus your server is secure from any PHP shells in that folder. Apparently someone doesn't know what a .htaccess file is.[/QUOTE]
What the fuck?
[QUOTE=KmartSqrl;34835984]lol[/QUOTE]
Rather than simply laugh at the poor sod, you should explain to him (and the rest of us) why he is wrong. It would be good to know for the future, if I ever need to implement some kind of upload system!
I was saying lol because of who he was replying to and the "Apparently someone doesn't know what a .htaccess file is." part.
Oh. Then, someone else could perhaps explain why what he's doing is wrong? I get that it's still not secure even if PHP is disabled there, but perhaps someone can explain why and how we can fix this?
Sorry, you need to Log In to post a reply to this thread.
