: How to detect if file with a .png extension contains code or an image? I was in a trouble last few days since my web host was hacked for POST on PHP files. I've been dealing with files

@Chiappetta492

Nowadays in most of the hosting for security reasons, they have disabled the short tags "<?".

So, you can grep / strstr for "<?php" in the uploaded file, If there is a match found simply delete the file.

We have been following this for a long time and It seems working very good.

Vote Up Vote Down

@Lengel546

Is there any way to mass check if a file with a .png is real or fake?


No, not really.

Because it has been suggested in an answer and in the comments: Checking the first X bytes of a file is not a proper way to determine if it contains PHP code or not (what about the content after the first X bytes?).

Additionally, PHP code can be hidden in metadata or IDAT chunks, meaning that you can have a completely valid image file, which also contains PHP code.

It is extremely difficult to check if an image contains further harmful data or not.

So what you want to do is:


check the extension. If it is png, it will not be executed (except if you also allow upload of htaccess files or have a LFI vulnerability)
store the file outside of the web root (again, it cannot be executed, except via LFI)
forbid execution in that directory (again, can be bypassed via LFI)
strip all metadata from the image (which will remove PHP code in the metadata)
transform the image to a different format (which will destroy PHP code in IDAT chunks or similar methods)
as @mani said, you can search the uploaded file for opening PHP tags. You definitely want to search for <?php, <?=, and <script (case insensitive). Additionally, you might want to search for <? (if short tags are allowed) and <% (in case asp tags are allowed). This should take care of PHP code, but not of other possibly harmful content.

Vote Up Vote Down

@LarsenBagley505

I was in a trouble last few days since my web host was hacked for POST on PHP files. I've been dealing with files with .png extension that have PHP code inside.


This is why error checking should be implemented in your upload script, that way, you can test the uploaded file to ensure the data is valid and if the data is not valid, then discard the file and show an error web page.


I can't even try to edit one-by-one to check if it's a valid .png file or not. Is there any way to mass check if a file with a .png is real or fake?


You can make a script that opens each uploaded file and check the first few bytes to ensure the file is valid, but this is an unnecessary step in the future if you decide to add file validation to your upload script like what I described above.

Also, as someone stated in the comments, for at least some protection from script execution, make the upload directory a directory in which the execute bit is not set. Also, make the folder not accessible to the general public so that you can have a chance to validate the files and only make them acceptable to the public when you have validated them.

Vote Up Vote Down