Manuel Lemos from phpClasses.org has written an excellent post about about the risks when allowing users to upload images. It’s not something I’ve done alot but lets say you have a generated image such as this one – with a .php extension. I could upload it to your server and have it served from there – not much use to me because it would fail to update.
The next guy, however, might be uploading a malicious script that might take over your server, send spam etc.
Read his post here: PHP security exploit with GIF images
There are many ways to protect against such dangers, keep in mind that an updated server has a better chance of fighting back. Also programming techniques where you should check the mime-type of uploaded file and trash it if it’s not of an acceptable mime-type. Nevertheless, the best way to prevent violations is to make the internet user sign up with their email address and do validate the email by sending a validation link to their mail box and have them click back to your website.
Breckenridge, every single last one of those suggestions was wrong.
First of all, updated PHP servers will now gleefully accept php script in GIF file extensions, worsening the vulnerability.
Second of all, mime-types can be forged.
Third of all, requiring validation links does ABSOLUTELY NOTHING to prevent this type of abuse. Now they have to register to get their exploit to work, so what?
BTW: read this:
http://www.scanit.be/uploads/php-file-upload.pdf