I'm working on a portal that requires users to upload the images which wil be shown in a certain HTML pages. What should be the good practice here ?
Should I avoid uploading and ask users to give their own URL for the images ?
Ask users to upload image files.
Since we know, an image can be a deadly one if it contains code injection, but what about the remote ones, are they secure ?
Thanks
分享 It depends on your website consistency. Uploading is much better than entering URL for example if the targeted audience is a professional clients they would prefer uploading as it would be difficult to explain to them what is a remote url and how to get it. But uploading is a more traditional way and feels more easy.
On the other hand if most of your targeted audience is internet users then there might be no need to give upload option. But as I said uploading feels much more natural and easy to users. It also depends on the type of images, if the images are the user's avatar then uploading would fit and if the users are adding images to your website to only share images they found from other websites then remote url would be more appropriate.
Both uploading and fetching remote ones to your server could be deadly, but if you use remote ones just to store the urls in your database then it will create no security problem.
So if you want upload feature or storing the remote images to your server you must do some certain steps to ensure the security of your server:
Verify the file extension and mime to be of valid image. (Don't rely only on this.)
Verify it's a valid image file (using php getimagesize)
Resize and copy the image into a new image object. And store that image into your server.
The folder where you are going to store must have all kinds of code executions disabled by using .htaccess (SetHandler default-handler)
分享
