Manuel Lemos - 2007-06-20 08:26:01 -
In reply to message 1 from Luis Ferro
Using readfile is just an alternative solution for people that want to preserve the original file names of the uploaded files.
When that is not important, renaming the image files as 1.gif, 2.gif, and so on, is suficient to avoid this security problem. That way the files may be served directly the Web server.
That is what the PHPClasses site does to serve pictures of the users that they upload. Such pictures are served by a separate multithreaded Web server, which can handle much more simultaneous requests with much less memory.
As for the use of GD to remove the injected code, it may not work because the PHP code can be hidden in the image palette.