I want to get images from URLs (width extensions as GIF, PNG, ASPX, PHP, JSP,...), similiar to "Upload avatar from URL" function of forums. But I don't know much about security of this function. I hope everybody can discuss about security of its, and help me. Thank
I wrote an upload class which can handle URL uploading. http://www.bytemycode.com/snippets/snippet/528/
No, I want to recommend to security problems of using open URL methods. Does it make mistakes which hackers may use them to hack my site?
The security issues are basically the same. You can validate files by size, extension, and MIME type. We face the same problem here as we do with HTTP uploads, that the extension and MIME type can easily be faked and any file type could be uploaded. Now that's not necessarily an issue if we have a good file extension validation, because a malicious person might be able to upload a bad script to our server, but he won't be able to run it unless it has a .php extension (or any other that the server parses or executes) If you just plan to allow image uploads, then I suggest testing the files using for example getimagesize(). If it returns false, delete the file and throw an error. Otherwise keep it. But don't ever allow the files to have PHP extensions, because PHP code can be inserted in GIF images which would still be considered valid GIFs after. If it's a dynamic URL and the image is pulled from the database, then check the headers you receive first. There's most likely a file name given in the Content-Disposition header. Use THIS file extension. Don't make your files accessible in public directories unless you're 100% sure they're good files.