Re: The Dangers of Allowing Users to Post Images

["Chris Lambert" <clambert () gamespy com>]

| This is not a big deal if you use some validation on images (in PHP at
| least).
|
| Try the function getImageSize(); it will return an array containing the
| size of the image, as well as the format. If the file specified is not a
| GIF, JPEG, PNG, or SWF, getImageSize() returns null.

Except in the case of bulletin boards, the images are located on remote
servers. getImageSize (although it supports HTTP addresses in PHP4.05) would
have to work from a fully downloaded copy of the image. This means that if a
user posted an image, the server would have to download it entirely, check
for its validity, and THEN proceed with inserting it into the database. This
isn't a solution for us in vBulletin, as it could mean that a server's
bandwidth charges are sent sky high, not only because it has to transfer
every 80KB screenshot thats posted, but because some kiddie who decided it'd
be funny to link to an 800MB image.
--
WhiteCrown Networks - Web Application Security
www.whitecrown.net - services () whitecrown net
 ______________________________
/ Chris Lambert - cjlambert () home com
|-> ICQ #: 16435685 - AIM: ClipperChris
`-> Cell: (401) 743-2786 - http://sms.clambert.org/