Joshua Posted October 7, 2009 Share Posted October 7, 2009 Ok, for all those who have been like myself, curious, i just discovered this works well This will Secure your "Upload Display_Pic" form and stop users from entering code instead of a URL. function pic_change() { global $ir, $db; $Pic = $db->query(sprintf("SELECT `display_pic` FROM `users` WHERE `userid`='%d'", $ir['userid'])); if (isset($_POST['NewPic'])) { if ($_POST['NewPic'] == '') { echo 'You Did Not Enter An Image'; } else { if(!preg_match('~(.?).(jpg|jpeg|gif|png)~i', $_POST['NewPic'])) { die('Stop trying to abuse a Bug, Enter a picture format!'); } else { $_POST['NewPic'] = str_replace(array("<", ">", "'", ";", ".php", ".html", ".js"), array("", "", "", "", "", "", ""), $_POST['NewPic']); $db->query(sprintf("UPDATE `users` SET `display_pic`='%s' WHERE `userid`='%d'", $_POST['NewPic'], $ir['userid'])); echo 'Picture Changed'; } } } I took this snippet of code if(!preg_match('~(.?).(jpg|jpeg|gif|png)~i', $_POST['NewPic'])) { die('Stop trying to abuse a Bug, Enter a picture format!'); } And I put it under function gang_staff_desc2() { global $db,$ir,$c,$userid,$gangdata; if($gangdata['gangPRESIDENT'] == $userid ) { if(isset($_POST['titlebanner'])) { To ensure the file being uploaded is an image file. I hope you can figure out how to install this and secure your site, gluck :) Quote Link to comment Share on other sites More sharing options...
mdshare Posted October 7, 2009 Share Posted October 7, 2009 Where do you check if it's actually an image ??? Looks like you didn't learn from [mccode v2.x] Auto-Admin Hack. Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 7, 2009 Author Share Posted October 7, 2009 if(!preg_match('~(.?).(jpg|jpeg|gif|png)~i', $_POST['NewPic'])) { die('Stop trying to abuse a Bug, Enter a picture format!'); } The whole if(!preg_Match statement checks if it's jpg, jpeg, gif or png Anything else and you get a die(error) It works, as i'm using it. I'm new to php but I learned that much. Quote Link to comment Share on other sites More sharing options...
mdshare Posted October 7, 2009 Share Posted October 7, 2009 Doesn't check, it checks if the extension is what you have whitelisted. verifying if a img is eg <?php $imageinfo = getimagesize($_FILES['uploadfile']['tmp_name']); if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && isset($imageinfo)) { echo 'Sorry, we only accept GIF and JPEG images'; exit(0); } ?> Verifying extension , which doesn't check if it really is a image !!! <?php $filename = strtolower($_FILES['uploadfile']['name']); $whitelist = array('jpg', 'png', 'gif', 'jpeg'); #example of white list $blacklist = array('php', 'php3', 'php4', 'phtml','exe'); #example of black list if(!in_array(end(explode('.', $fileName)), $whitelist)) { echo 'Invalid file type'; exit(0); } if(in_array(end(explode('.', $fileName)), $blacklist)) { echo 'Invalid file type'; exit(0); } You could also secure the upload folder (where you store the images) so that no scripts can be executed from there through htaccess AddHandler cgi-script .php .php3 .php4 .php5 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 7, 2009 Author Share Posted October 7, 2009 Problem with yours and myself, I'm a trial and error coder right now. I insert code, see if it works if it doesnt i mess with it some more, until it does. Yours is completely new to me and I would have to basically start the trial from scratch >< Mine works, though it's not the same as yours, if they enter something other than what I've defined it won't load it. IE--it stops them from doing the session hack. Yours is def better, but I know how to install mine :P Quote Link to comment Share on other sites More sharing options...
mdshare Posted October 7, 2009 Share Posted October 7, 2009 I'm trying to help you Immortalthug, don't see it as an attack. And I'm just like you trial/error and cursing more than once my PC (should be me instead of the PC) if something doesn't do what I want to do it. Anyway, What you did was not securing your game against any attack, you simply checked on the file extension. And that doesn't tell you if the file is actually a image or not it could still be malicious... Quote Link to comment Share on other sites More sharing options...
Curt Posted October 7, 2009 Share Posted October 7, 2009 nice, ill try mdshare's method thanks for this post :) Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 7, 2009 Author Share Posted October 7, 2009 Aye, if you understand coding better than I do, i'd suggest MD's method Mine basically just checks to see if .jpg .jpeg .gif .png is on the end of the file extension Quote Link to comment Share on other sites More sharing options...
mj12 Posted October 13, 2009 Share Posted October 13, 2009 Since php code can be run from almost anywhere both of the methods mdshare posted are really good and recommended by http://www.scanit.be/ Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted October 13, 2009 Share Posted October 13, 2009 Trying to read the image size as MD made is nice, also because you could reject images due to their size. Another approach is to check the file signature which is at the beginning of the files like a gif need to start with "GIF89a" and a PNG starts with "‰PNG" Quote Link to comment Share on other sites More sharing options...
vampireduff Posted October 13, 2009 Share Posted October 13, 2009 mdshare, I'm still learning PHP and would like to use your code, but where would I add it in my files? I know I would add it to any file that I would have that uploads a pic, but where abouts? Quote Link to comment Share on other sites More sharing options...
mdshare Posted October 14, 2009 Share Posted October 14, 2009 Trying to read the image size as MD made is nice, also because you could reject images due to their size. Another approach is to check the file signature which is at the beginning of the files like a gif need to start with "GIF89a" and a PNG starts with "‰PNG"Ah didn't think on that, but I believe that the getimagesize() function should be more than enough as it comes from the same data and it gives you additional power, no clue why a gif, jp, png should be excluded when the image width/height is known or I'm missing again something .... Quote Link to comment Share on other sites More sharing options...
mdshare Posted October 14, 2009 Share Posted October 14, 2009 mdshare, I'm still learning PHP and would like to use your code, but where would I add it in my files? I know I would add it to any file that I would have that uploads a pic, but where abouts?It isn't my code it's just some examples on a single function available with php, it all depends where to use it in what script , just read on the following and play with it and it shouldn't be difficult at all to implement it on your scripts ----> getimagesize() Quote Link to comment Share on other sites More sharing options...
Djkanna Posted October 15, 2009 Share Posted October 15, 2009 Okay I didn't understand this that well but I think I've got it < I think :) function do_pic_change() { global $db, $h, $userid; $image = getimagesize("".$_POST['newpic'].""); if($_POST['newpic'] == "") { echo "Sorry it seems like you haven't inputed anything please go back and try again. [url='preferences.php?action=picchange']Back[/url]"; } elseif(!$image) { echo "Um yeah you didn't actually think that would work did you?"; } else { $db->query(sprintf("UPDATE users SET display_pic='%s' WHERE(userid=%u)", $db->escape($_POST['newpic']), $userid)); echo "Display picture has been changed"; $h->endpage(); exit; } } It doesn't seem to allow anything but a image file so I think that's a good start to defeating the Admin Hi-Jack. :) Thanks DJK Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 15, 2009 Author Share Posted October 15, 2009 I have something i found on another forums that appears to work as well, but I will stick yours in and see if it does the trick also :-) Quote Link to comment Share on other sites More sharing options...
bluegman991 Posted October 16, 2009 Share Posted October 16, 2009 so i was just seeing if it would work and to my observance it does what i did is make it so it checks if it is an image in the preferences page by using this the only thing is it has to be a valid url or u will get 1 of these mysql errors Warning: getimagesize(degfedsg) [function.getimagesize]: failed to open stream: No such file or directory in /home/*******/public_html/account.php on line 38 Warning: getimagesize() [function.getimagesize]: Couldn't resolve host name in /home/******/public_html/account.php on line 38 Warning: getimagesize(http://) [function.getimagesize]: failed to open stream: operation failed in /home/*****/public_html/account.php on line 38 $imageinfo = getimagesize($_POST['newpic']); if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg' && $imageinfo['mime'] != 'image/JPG' && $imageinfo['mime'] != 'image/png' && $imageinfo['mime'] != 'image/ico' && $imageinfo['mime'] != 'image/bmp' && isset($imageinfo)) { echo "Sorry, we only accept GIF, JPEG, PNG, JPG, ICO, and BMP images! \n"; $h->endpage(); } lol i didnt observe closely enough we get the echo but it still updates Quote Link to comment Share on other sites More sharing options...
bluegman991 Posted October 16, 2009 Share Posted October 16, 2009 $imageinfo = getimagesize($_POST['newpic']); if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg' && $imageinfo['mime'] != 'image/JPG' && $imageinfo['mime'] != 'image/png' && $imageinfo['mime'] != 'image/ico' && $imageinfo['mime'] != 'image/bmp' && isset($imageinfo)) { $_POST['newpic'] = "images/defaultpic.png"; } ok i got it doing what i want it to do but i still get those errors is there something i am not doing right making the errors show or is there a way i can not show the errors but they only show if an invalid target is posted or it is not an actual gif jpg JPG jpeg ico bmp image Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 16, 2009 Author Share Posted October 16, 2009 $imageinfo = getimagesize($_POST['newpic']); if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg' && $imageinfo['mime'] != 'image/JPG' && $imageinfo['mime'] != 'image/png' && $imageinfo['mime'] != 'image/ico' && $imageinfo['mime'] != 'image/bmp' && isset($imageinfo)) { print "Sorry, We only accept Images."; } else { $_POST['newpic'] = "images/defaultpic.png"; } Something along those lines perhaps? Your making a call that if the images != to but you aren't telling it what to do if they aren't. Quote Link to comment Share on other sites More sharing options...
bluegman991 Posted October 16, 2009 Share Posted October 16, 2009 imortal what that code does is it only says thats its not an image if its not but if it is an image it changes it to the default pic so i deleted the else and it did what is was suppose to do but still when the target wasnt valid i got those errors is there something i can do to hide those errors? Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 17, 2009 Author Share Posted October 17, 2009 Yea, as I said. Though my coding may not be 100% accurate You are telling it to check if it's an image, and if it is post a pic. However, if it ISNT an error you arent telling it what to do You need to come up with an if or else statement telling it what to do if it's not a picture and if it is a picture. I have a secured preferances posted up in the regular section of mccodes,(not the mods section) perhaps look at that one as it works :-) Quote Link to comment Share on other sites More sharing options...
bluegman991 Posted October 21, 2009 Share Posted October 21, 2009 nope i have the else statement. i believe it is something else look at the error Warning: getimagesize() [function.getimagesize]: Couldn't resolve host name in /home/*****/public_html/account.php on line 38 Warning: getimagesize(http://masdfvs) [function.getimagesize]: failed to open stream: operation failed in /home/mafiagan/public_html/account.php on line 38 Warning: getimagesize(http://www.******.net/city) [function.getimagesize]: could not make seekable - http://www.***.net/city in /home/****/public_html/account.php on line 38 Warning: getimagesize(rsdfvesf) [function.getimagesize]: failed to open stream: No such file or directory in /home/******/public_html/account.php on line 38 can someone help me either hide this error or make an add on to this mod [mccode v2.x] User Settings [mod] that stops the admin hack Quote Link to comment Share on other sites More sharing options...
Djkanna Posted October 21, 2009 Share Posted October 21, 2009 Not the best way but I think you could turn off error_reporting Like as getimagesize generates a E_WARNING; try adding this to preferences under include "globals.php"; error_reporting(E_ALL ^ E_WARNING); If that doesn't work you could just try turning off all errors within in preferences error_reporting(0); See if that works try the first one first, use the second one as a last resort (Cannot say if either will work as I've not tested it.) Or try figure out a way round doing this. DJK. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted October 21, 2009 Share Posted October 21, 2009 adding an @ in front of the function which produce the warning will removes it: $file=@fopen("blabla","r"); I would use that instead of disabling the error reporting. Quote Link to comment Share on other sites More sharing options...
Guest Null Posted January 4, 2010 Share Posted January 4, 2010 . Isnt it possible to bind a php file with a img? If it is that would suck. Sorry im a little new to methods of coding but i learn quick :) Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted January 5, 2010 Share Posted January 5, 2010 it's possible to edit /htaccess to replace .jpg with .php so actually linking a image when submitting but then switching it later to enable a php file - i remember lost one saying about this. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.