What is the best way to protect my website from uploaded files that have php in the comments?
My website allows image upload, only valid images can be uploaded at the moment, but valid images can still have code written in the comments. Is there a way to check an image for comments? Or is my only option to strip the image from all meta data? And if I strip my image from meta data, what would be the consequences of that?
Quentin is partially right in saying that if your config is correct then these images should not be parsed by the PHP interpreter - but it is good practice not to rely on a single line of defence.
In a lot of jurisdictions it is (rightly) illegal (or at least a breach of contract) to remove copy right information from content, digital or otherwise. Hence deliberately stripping the metadata could land you in a lot of trouble.
If it were me, I'd:
1) ensure that my config did not allow for anything without a designated extension being run by the PHP interpreter
2) ensure that my application did not allow for renaming of the extension on uploaded content
3) apply some transform to the image (rotate / scale / change format) to eliminate some of the malware it may contain (e.g. CVE-2013-1331), retaining the exif data
4) keep the content outside the document root and control access via a proxy script
5) escape any occurrence of php opening and closing tags in the exif data