So, a person can upload images via attachments, but not any other way, except to host image third party, so my question is, why not let people upload images directly with a direct upload action.
the point is, there may be a good reason to not let this happen, but what is the reason?
Because I don't know and I would like to know.
Thanks
You can upload an image as an attachment and directly link to it with [img] tags. A different system would still require all the permissions and configurable limits of the attachment system but ultimately it would work the same way.
(2019-03-08, 12:35 PM)NoRules Wrote: [ -> ]Hi,
maybe beacuse of this?:
https://resources.infosecinstitute.com/p...abilities/
No, otherwise the attachment system and avatar uploads wouldn't exist at all. That's mitigated by writing secure code.
Allowing file upload can possibly create exploits that others can use to attack your site and do malicious things. In the last year, I added image upload to my forum and this year I will be working on adding direct video upload, as well.
For images, do your diligence. Don't just allow users to upload and copy it directly into the image folder. Be sure to check MIME type; send it through imagecreatefromstring() and make sure that it returns a valid resource; and use PHP's move_uploaded_file, which checks to make sure that the upload was done via PHP's HTTP POST upload mechanism. And make sure the destination folder from which you will be serving the images has the correct permissions.