2018-12-16 Pujan Niroula 4 Minute(s) Read

Secure Image Upload System in PHP

img-secure image upload.jpg

Most of newbie developer afraid to make a image upload function for user just because of insecurity. If your script allowed to upload any kinds of file then you can be easily hacked.

Most of time hackers upload PHP Backdoor or Shell from image upload form to get access to your website.

Normally we have been told that never trust user input. But how we can validate image??? No worries mate... Today I am going to share you how can you make simple but secure image upload system in PHP.

Simple and Secure Image/Photo Upload System in PHP

First of all, Let's create HTML Form to Upload image.

<form action="" method="post" enctype="multipart/form-data">
    <h1>Secure Image Upload System</h1>
    <frameset>
        <label>Choose Image</label>
        <input type="file" name="image">
        <input type="submit" name="upload" value="Upload">
    </frameset>
</form>

It will display form to choose image to upload image like this.

php secure img upload

 

If you saved uploaded image from this form without any validation then you can easily get hacked. To make the photo upload system secure I will check uploaded image in following ways:

  1. Check file extension and file type.
  2. Check Resolution.

How to Check extension of Uploaded Image

Simple first create an array of allowed extensions and check if the uploaded image's extension is in array or not.

<?php
if (isset($_POST['upload']) && $_FILES['image']['error']==0) {
    $allow_ext = array('png','jpg','gif','jpeg','bmp','tif');
    $allow_type = array('image/png','image/gif','image/jpeg','image/bmp','image/tiff');
    $image_name = $_FILES['image']['name'];
    $image_type = getimagesize($_FILES['image']['tmp_name']);
    $image_name = explode('.',$image_name);
    $ext = end($image_name);
    if(in_array($ext, $allow_ext) && in_array($image_type['mime'], $allow_type)){
        echo 'Valid File';
    }
?>

Let me to explain this code.This code will execute after you post upload parameter. The $allow_ext variable holds list of allowed image extensions and $allow_type holds list of allowed image types.

$_FILES is SuperGlobal variable in PHP. $_FILE['image']['name'] returns file name of uploaded file including file extension and $image_type['mime'] returns file type.

Explode() function will break string into array the first parameter (.) is separator and second parameter is string.

End() function returns last element of an array that is uploaded file extension here.

Finally we check, the extracted extension is inside our array or not with in_array() function. Furthermore for more safety we check image type also.

Without filetype check if someone uploaded PSD file with png extension then it will be uploaded. Hence there will be problem on displaying it.

Check Resolution of Uploaded Image and Save it

I am checking resolution to ultimately conform the uploaded file is an image.

list($width, $height) = getimagesize($_FILES['image']['tmp_name']);
if ($width>0 && $height>0) {
    $upload = move_uploaded_file($_FILES['image']['tmp_name'], $_FILES['image']['name']);
}

First I got width and height of an uploaded image and secondly if it's width and height is greater than 0 then I saved the uploaded image with move_uploaded_file() function. Remember getimagesize() returns width and height of images only. Furthermore getimagesize returns height, width, bits and mime of Image.

Complete Code: Validate Uploaded Photo in PHP

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">    
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Simple Secure Image Upload System</title>
    <style>
        body { border:1px solid #333; border-radius: 10px; background-color: #999; padding: 10px; text-align: center;}
        form {  padding: 10px; width: 50%; margin: auto; background-color: #fff; border-radius: 10px;}
        input[type="submit"] {padding: 10px; border-radius: 5px; border:1px solid #333; display: block; font-weight: bold; width: 100%; margin: 5px; }
        input[type="file"] {padding: 10px;  font-weight: bold; width: 100%; }
    </style>
</head>
<body>
    <?php
    if (isset($_POST['upload']) && $_FILES['image']['error']==0) {
        $allow_ext = array('png','jpg','gif','jpeg','bmp','tif');
        $allow_type = array('image/png','image/gif','image/jpeg','image/bmp','image/tiff');
        $image_name = $_FILES['image']['name'];
        $image_type = getimagesize($_FILES['image']['tmp_name']);
        $image_name = explode('.',$image_name);
        $ext = end($image_name);
        if(in_array($ext, $allow_ext) && in_array($image_type['mime'], $allow_type)){
            list($width, $height, $mime) = getimagesize($_FILES['image']['tmp_name']);
            if ($width>0 && $height>0) {
                $upload = move_uploaded_file($_FILES['image']['tmp_name'], $_FILES['image']['name']);
                if ($upload) {
                    echo '<p>File Uploaded: <a href="'.$_FILES['image']['name'].'">View Image</a></p>';
                }
            } else {
            echo 'Error: Only image is allowed!';
            }
        } else {
            echo 'Error: Invalid File Type!';
        }
    }
    ?>
    <form action="" method="post" enctype="multipart/form-data">
        <h1>Secure Image Upload System</h1>
        <frameset>
            <label>Choose Image</label>
            <input type="file" name="image">
            <input type="submit" name="upload" value="Upload">
        </frameset>
    </form>
    <span>By: </span><a href="http://pujann.com.np/secure-image-upload.php">Pujann</a>
</body>
</html>

That's all, this is how can you create secure photo upload system in PHP. You can customize this code as your requirement. 
I will be happy to hear from you!!! smile

 

Download Attached Files: Secure Image Upload PHP Script.zip
Tags:php, tutorial,
Comments (1) Add New Comment
Jim2020-01-17 4:30 PM

Seems secure, Kudos bro!

Reply