I am building a PHP web app and it includes image uploading. I've read about preventing the uploads of fake images. But what are fake images and how can they be used to attack a server?
Is it sufficient using the PHP function getimagesize() along with checking the file extension to eliminate all possible attacks through images?
One example of a fake image would be where someone uploads a PHP file instead of an image and then tricks the server in to executing it. There are several options for preventing this kind of attack, including preventing the user from picking the file extension used to store the image on the server and storing uploaded images outside of the document root (using file_get_contents to read them when needed).