homepage Welcome to WebmasterWorld Guest from 54.242.241.20
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Virus risk, receiving pictures vs receiving urls
advantage

5+ Year Member



 
Msg#: 10492 posted 1:21 pm on Dec 14, 2005 (gmt 0)

I'm working on a website where my customers can send in a picture of themselves. But I'm worried about that opening me WAY up to a virus hidden in one of their attachments. Accidentally-or on purpose.

Am I safer by insisting on receiving URLs only from them where I can go and dowload or even just copy it myself?

Any other best ways around inviting a typhoid Mary picture directly into my computer?

 

Krapulator

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 10492 posted 1:29 am on Dec 15, 2005 (gmt 0)

Limit your file uploads to jpg's only.

Leosghost



 
Msg#: 10492 posted 1:37 am on Dec 15, 2005 (gmt 0)

virii exist also in jpegs..as do many other things such as directions to illegal pron ..or images of the same or data or links to info data or sites that is /are illegal where you are ..( investigate "stenography" if you really want to understand the basics )

the only way you can be reasonably safe is to allow uploads to a sandbox ..you scan the contents with at least 3 different Av's..( and learn to read hidden / imbedded / encrypted data traces )

you then if they are shown "clean" imbed them in your pages ..

and even then you are not certain ..

there are other issues concerning your or others security involved with allowing the uploading of any data in any form to your space ..

advantage

5+ Year Member



 
Msg#: 10492 posted 3:22 am on Dec 15, 2005 (gmt 0)

I'm still not sure about it. For example, I can usually just left click and drag over a picture, then hit ctrl C which copies the picture.

Is that the same as downloading it? Is viewing it before I left click it as dangerous virus-wise as copying it?

I just tried it off of a Yahoo image search. It won't add itself onto a File in my Photosuite with ctrl V, but it will attach to a new Hotmail letter, then I can send it to send myself.

Any of this safer?

kaled

WebmasterWorld Senior Member kaled us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 10492 posted 1:23 pm on Dec 15, 2005 (gmt 0)

I've heard it said that viruse can exist in jpegs, however, unless a file type is registered as executable in some way, a virus might exist in the file but it's harmless.

If you are certain that uploaded files cannot be executed, there should not be a problem.

Kaled.

lasko

10+ Year Member



 
Msg#: 10492 posted 3:28 pm on Dec 15, 2005 (gmt 0)


I used to only check the extension but since moving to php5 I started using another function as well its also available in php4.3

I'm using the following exif_imagetype function that reads the first few bytes of the file to see if its actually an image or pdf etc.

if(exif_imagetype($_FILES['files']['tmp_name']) ==
IMAGETYPE_GIF)
{
$this->Upload($_FILES, $dir);
}

[cz.php.net...]

Currently I only allow Gif and Jpgs to be added if its for Jo public use.

When it comes to private admin areas then I allow docs and other files.

wyvern

10+ Year Member



 
Msg#: 10492 posted 3:32 am on Dec 18, 2005 (gmt 0)

Maybe running some rendering filters on the newly uploaded images (using a library like ImageMagick or GD), which only slightly modify the image if at all, would verify that it's actually a valid image (otherwise the rendering library would stop with an error) and break any virus code which they might contain.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved