How PHP ensures the security of uploaded images

Usually I found that there are many sites do not provide GIF image upload, before the security check on the site also found some GIF pictures hidden code, unexpectedly can also be executed!
Remember I use a text editor to open the picture, at the end of the picture, found a word of PHP trojan, I would like to ask, how to solve such problems?
What are the possible security risks in the image (or file) upload?

Jinchey!

Reply content:

Usually I found that there are many sites do not provide GIF image upload, before the security check on the site also found some GIF pictures hidden code, unexpectedly can also be executed!
Remember I use a text editor to open the picture, at the end of the picture, found a word of PHP trojan, I would like to ask, how to solve such problems?
What are the possible security risks in the image (or file) upload?

Jinchey!

1. Upload the time do not rely on Content-Type to do document type verification, you can refer to my answer here how to determine the browser upload the actual type of file?
2. Upload the picture file in a place outside the Web directory, limited permissions, the picture, you can use another domain name.
3. Force the server to send the correct file header to the static file to avoid the code in the picture being executed reference http://nullcandy.com/php-image-upload-security-how-not-to-do-it/

ForceType application/octet-stream
  
   
    
       ForceType image/jpeg
  
   
  
   
    
       ForceType image/gif
  
   
  
   
    
       ForceType image/png
  
   

