php – Uploading an image to the site, how to protect the server?

Question:

How to protect the server hosting the site and forum with support for uploading your own avatars and inserting images into comments?

After all, everyone knows that an image can be supplied with a virus, through which you can get full access to the server. How to correctly handle such image uploads? It is clear that the antivirus will not be able to help you in any way, because it does not expose the newest viruses.

Answer:

Everyone knows that a virus itself is a collection of bytes that is absolutely harmless until it is launched for execution in an appropriate environment.

Of the environments on the PHP web server, there are usually two available – CGI and PHP. For CGI, it is sufficient not to upload images to the folder that is intended for executable files.

For PHP, however, protection boils down to ensuring that

  1. Don't skip files with php extension. It's simple, except for one nuance *
  2. Do not include anything in your pkhp scripts. This rule is much more important and broader than just uploading images. If it is not respected, then you do not need to upload any pictures to the server. If our code always means exactly which file it will include, and it is impossible to slip anything into it from the outside, then the picture with the php code will also be safe.


Nuance. Apache web server in default configuration executes files like script.php.jpg as php files.

Scroll to Top