|Should i enable forum avatars & forum signatures?|
What are the security risks?
I have started a new forum. I am planning to allow users to post avatars (images) to their profiles from their computers, as well as upload images for signatures.
1) What are the security riskes involved?
2) Should i not allow images to be uploaded. Rather, ask them to send images to me in email, which if i approve, will then be uploaded by me?
I guess the main risk you run is controlling what images people upload to the server. I don't beleive it is possibly to automatically "Screen" images that are uploaded.
I guess you could record all uploads in a Database somehow, which controls whether they are shown online or not.
You could then build yourself a little admin area to allow or disallow newly uploaded images depending on whether or not you approve.
This is really just the same as your second option, but it would take a bit of the manual work out of it for you. All you would have to do is add a column in the Database (depending how your images are uploaded). The column could have a "1" if the image is OK to show and a "0" if its not allowed.
Hope this is a little helpful!
Premoderating images is essential, and they must be located on your server to avoid image switching later.
Some forum software will queue images for approval. If your volume is low, the email solution could work. Be sure to specify the maximum pixels and other format details, and be sure you are running good virus protection if you will be getting lots of attachments from strangers.
Personally, I find sigs kind of annoying, but then WebmasterWorld members are sort of self-selected. If your software enables displaying sigs only the first time they are used on each page, enable that feature. The only thing worse than a sig is a sig repeated ten times on a page. Imagine a post that says, "Yeah, I agree" followed by a sig consisting of a name, a witty slogan, a few links to the author's websites, maybe a blinking graphic...
A method I've found success with is programming my software so that your signature is only displayed if your message is longer than your signature. This has had a two-fold effect. Some people are writing longer more meaningful messages and at the same time other people are using much shorter signatures.
Regarding photographs, the nature of my site is such that most photos cannot be pre-moderated. But since avatars and a personal photograph can be in png, gif, jpg or bmp format what I've done is define a db column that holds the image's extention. Until it gets approved the extension has an "x" appended to it which restricts its visibility until a moderator can review it.
In terms of security, make sure to use a package that lets you limit the size of the upload. I also use a piece of code that uses several Windows APIs to check the image's width, height, pixel depth, and format. For jpg files I also do a virus scan.
This may too much for some folks but as a software developer I find it easy to incorporate these features into my message board software and I haven't had a "bad" upload since the site went online back in 1998.
thanks to all of u.
can scripts be run from signature field / image upload