PHP Validate base64 encoded images
Question
I need to find a way to validate an image that is base64 encoded in PHP.
By validate i'm thinking of XSS and other security things like that.
The flow is:
User has some parameters where one og more in a base64 encode string of an image and post them to my site. When i receive the parameter fx called img1 with the base64 encoded image string as value.
I would then like to make sure that this base64 encoded string only consist of the image and doest not have any tags and any other things hackers will try to use.
Does anyone know any PHP functions or plugins that can help me?
5 answers
solution1
6 2020-07-15 06:30:59
You can validate file type with code below:
$file = 'Your base64 file string';
$file_data = base64_decode($file);
$f = finfo_open();
$mime_type = finfo_buffer($f, $file_data, FILEINFO_MIME_TYPE);
$file_type = explode('/', $mime_type)[0];
$extension = explode('/', $mime_type)[1];
echo $mime_type; // will output mimetype, f.ex. image/jpeg
echo $file_type; // will output file type, f.ex. image
echo $extension; // will output extension, f.ex. jpeg
$acceptable_mimetypes = [
'application/pdf',
'image/jpeg',
];
// you can write any validator below, you can check a full mime type or just an extension or file type
if (!in_array($mime_type, $acceptable_mimetypes)) {
throw new \Exception('File mime type not acceptable');
}
// or example of checking just a type
if ($file_type !== 'image') {
throw new \Exception('File is not an image');
}
Under $mime_type you will get something like application/pdf or image/jpeg .
Under $file_type you will get a file type f.ex. image.
Under $extension you will get an extension.
With finfo_buffer you can use a few predefined constants , which may give you more informations.
With those informations you can simply validate if it's image or pdf or any other things you want to check. All the available mimetypes you can check in this page .
Manual
solution2
4 2012-09-03 13:58:14
You can try to create the image from the string using the imagecreatefromstring function.
You can then test for image dimensions/type.
If you want to go one further step you can create a new image and then attempt to copy the user image onto it and use this as the final image. Since the final image was initially created by you there is a very slim chance any hacker could get thru.
solution3
0 2012-09-06 10:17:57
I would only take the base64 encoded string and put it in a image tag. But security is very importent thing in the system i'm building so i just need to be sure that something like XSS cant be used in base64 encoded images :)
Then you do this as with any other user input: you htmlspecialchars -encode the user provided text before putting it in your HTML to preserve the integrity of your HTML. Base64 image strings are no exception. See The Great Escapism (Or: What You Need To Know To Work With Text Within Text) .
Of course, a blob of image data may open you up to entirely different attack vectors through vulnerable image parsers. So you may want to decode that image string into an image resource first and save it again using gd or Imagick functions, ie opening and re-saving/re-encoding the image.
solution4
0 2016-10-09 10:00:08
Try this library
https://github.com/imaimai86/Intervention-Base64Image
It uses Intervention image library to validate base64 encoded images
solution5
0 2017-10-21 12:54:17
$str = 'your base64 code' ;
if (base64_encode(base64_decode($str, true)) === $str && imagecreatefromstring(base64_decode($img))) {
echo 'Success! The String entered match base64_decode and is Image';
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.