php - using fopen instead of upload to import external images to website over http

If you want to let your website users add their own images to your website you could offer them the option to upload a file using an html form - remembering to treat this ‘external data’ with extreme caution.

See for a brief outline of how to do this AND thoroughly research the security implications of how to handle uploaded files.

However, in the project I’m working on at the moment, many of my client’s users wish to add images that are already located on the web. So he wishes to offer them the option to submit an URL to image as an alternative to uploading it. This would save them the hassle of downloaded the image to their PC and then having to upload it back onto the web via a form.

The whole concept of collecting files, (located at URLs that are specified by users), storing them on a web server, then serving them on a PHP enabled website makes me nervous. The last thing I want to do is to write a PHP script that obediently collects and stores a malicious script onto my client’s machine.

So, using my blog as a personal bookmark system,….here are some links to various pages I find on the web that I will want to re-visit:

The most useful info i found so far:
Very interesting article. CTRL+F to “then storing the file on the server” on that page to jump to solutions to image problems:
It ends with… “So what is the bottom line, as far as the images go? Well, short of removing the functionality and preventing their use altogether, all other solutions merely make attacks more difficult, but certainly not impossible.”

So in conclusion - I’m going to advise my client that the whole idea of letting users pass URLS to images instead of using an Upload form needs a re-think.

Another page on this, that may well be a duplicate:

Other info:

A forum post asking how to do this from an admin perspective using fopen, fread, fwrite :

stream_context_create look interesting too:

The getimagesize function in php - which can use URLs in the argument:

CURL’s curl_getinfo function which may or may not be useful to determine file types etc:

A cautionary word on using images that may contain malicious php code:

PHP docs on using remote files:



Remember localhost - check if it could be abused!
…more as i find it…

Feel free, as always, to add comments to discuss this issue…

Leave a Reply