I have seen verifiers that check to make sure an uploaded image has .gif or .jpg at the end of the string but could you check to see if it is really an image or just a file named like an image?
If you have the fileinfo extension installed, that'd be your best bet. If not, you can give mime_content_type() a chance, even though it's deprecated. And if that fails too, you can try getimagesize(), which works only on images, and a few video types. This will most likely work.
Thanks for the links. The third one is still a little confusing on how it works or how I would use it. Could anyone give a basic example. Also, has anyone seen an "image" actually be an executable file or contain a virus of some kind? What are the dangers in allowing users to upload images?
It is possible to include Javascript in a JPEG, but as long as you are checking for the width/height you should be good.
The first thing you should do is check the file ends with a valid image extension like .gif, .jpg, .png etc. Functions like substr and strpos will be useful to use for this. The reason is even if the file is not legitimate, apache will not run it as executable code. Try it for yourself - Make a simple "Hello world" php script and call it hello.php. echo 'hello world'; PHP: now rename it to hello.jpg and upload it to your server. Open it up in your browser; It will not execute the php code. This is your first line of defence. Someone could upload a bad file but it won't do damage unless they have system access in other ways. I am not going to cover the security of general uploading as this thread if specific to images. Using the hello.jpg file you have uploaded, write another php script to test it. getimagesize() returns an array of information about the image. http://php.net/getimagesize $img_attributes = @getimagesize("/path/to/image"); if (!is_array($img_attributes) || !count($img_attributes)) { // not an image, some kind of error handling echo 'Invalid image'; exit(); } PHP: This will capture most bad files but not all. You should check to make sure the uploaded file has a mime type consistent with an image. The mime type is index 2 in the array returned by getimagesize (check manual link for more details). Also some people can fake gif headers so I suggest you google this subject. Also for further protection, you could store user uploaded files below the document root and serve them using your own script. This means no user files are publically accessible on your site unless you say so. Hope this helps.
Thanks for the good info and help. Seems like as long as you take the precautionary measures it shouldn't be that big of a problem.....especially for a lower traffic site.