1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What do we have to check when uploading an avatar / image ?

Discussion in 'XenForo Development Discussions' started by account8226, May 5, 2013.

  1. account8226

    account8226 Guest


    I'm making an addon where anyone can upload a custom logo for their page.

    I'm correctly uploading the file, but I am afraid to forgot something.

    Actually, I'm checking the following :
    • if (!$logo->isImage())
    • if (!in_array($imageType, array(IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_PNG))
    Anything else that could check to improve security ?

  2. account8226

    account8226 Guest

    Ok, after spending few hours onto this, I just would like to check the image size (not bigger than 1MB).

    Any ideas ?
  3. tenants

    tenants Well-Known Member

    Have a look at XenForo_ControllerPublic_Account::actionAvatarUpload

    and then look at $avatarModel->uploadAvatar (or XenForo_Model_Avatar::uploadAvatar )

    Since the core already does this, you can easily use a similar functionality to the core.

    You can see that the model checks:
    $largestDimension = $this->getSizeFromCode('l');


    checks quite a few things:

    protected function _checkForErrors()
    if ($this->_allowedExtensions && !in_array($this->_extension, $this->_allowedExtensions))
    $this->_errors['extension'] = new XenForo_Phrase('uploaded_file_does_not_have_an_allowed_extension');
    If in doubt, look at core functionality that does what you want to do, then work backwards through the code to figure out how to do it using the same methods as the core
    if ($this->_tempFile && $this->_maxFileSize && filesize($this->_tempFile) > $this->_maxFileSize)
    $this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large');
    if (!$this->_tempFile)
    $this->_errors['fileSize'] = new XenForo_Phrase('uploaded_file_is_too_large_for_server_to_process');
    $this->_errorsChecked = true;
    If in doubt, look for core functionality that does a similar thing to what you want to do, then work backwards through the code, so that you can use the core methods for doing what you want to do
    account8226 likes this.
  4. account8226

    account8226 Guest

    Great thanks for the reply, that's what I've done and I used that maxFileSize method, it's doing the work ;)

Share This Page