Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: rogerd
I have started a new forum. I am planning to allow users to post avatars (images) to their profiles from their computers, as well as upload images for signatures.
1) What are the security riskes involved?
2) Should i not allow images to be uploaded. Rather, ask them to send images to me in email, which if i approve, will then be uploaded by me?
I guess you could record all uploads in a Database somehow, which controls whether they are shown online or not.
You could then build yourself a little admin area to allow or disallow newly uploaded images depending on whether or not you approve.
This is really just the same as your second option, but it would take a bit of the manual work out of it for you. All you would have to do is add a column in the Database (depending how your images are uploaded). The column could have a "1" if the image is OK to show and a "0" if its not allowed.
Hope this is a little helpful!
Some forum software will queue images for approval. If your volume is low, the email solution could work. Be sure to specify the maximum pixels and other format details, and be sure you are running good virus protection if you will be getting lots of attachments from strangers.
Personally, I find sigs kind of annoying, but then WebmasterWorld members are sort of self-selected. If your software enables displaying sigs only the first time they are used on each page, enable that feature. The only thing worse than a sig is a sig repeated ten times on a page. Imagine a post that says, "Yeah, I agree" followed by a sig consisting of a name, a witty slogan, a few links to the author's websites, maybe a blinking graphic...
Regarding photographs, the nature of my site is such that most photos cannot be pre-moderated. But since avatars and a personal photograph can be in png, gif, jpg or bmp format what I've done is define a db column that holds the image's extention. Until it gets approved the extension has an "x" appended to it which restricts its visibility until a moderator can review it.
In terms of security, make sure to use a package that lets you limit the size of the upload. I also use a piece of code that uses several Windows APIs to check the image's width, height, pixel depth, and format. For jpg files I also do a virus scan.
This may too much for some folks but as a software developer I find it easy to incorporate these features into my message board software and I haven't had a "bad" upload since the site went online back in 1998.