seany123 Posted February 22, 2010 Share Posted February 22, 2010 I have a form which allows players to type in the url to a picture and it will then use that picture as the members avatar. the only problem im having is some people started using website urls to benifit them such as their site to gain advertising on their site. so instead i wanna change it so they can only have certain extensions such as .jpg, .gif and .png here is the code below (i currently have it so they cant have my website name in the box because they was linking to rateup pages.) if($_POST['edit_avatar']) { if(strstr($_POST['avatar'],'MY URL NAME')) { header('Location: edit_account.php'); die; exit; } $query = $db->execute("update `user` set `avatar`=? where `id`=?", array($_POST['avatar'], $user->id )); header('Location: edit_account.php'); } Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted February 22, 2010 Share Posted February 22, 2010 Well if you just wanted to check the extension you could use strrpos to find the last occurence of a '.' and then use substr to check what comes after the dot for valid extensions. However, if you want to ensure it's actually an image, you're best bet would probably be to try and open it using the GD library. Otherwise, someone could fake an extension and have some php code running on your site, for example. Quote Link to comment Share on other sites More sharing options...
seany123 Posted February 22, 2010 Author Share Posted February 22, 2010 how would you fake an extension? Quote Link to comment Share on other sites More sharing options...
trq Posted February 22, 2010 Share Posted February 22, 2010 how would you fake an extension? Change it to something else. Quote Link to comment Share on other sites More sharing options...
seany123 Posted February 23, 2010 Author Share Posted February 23, 2010 well for example how do i go about not showing this.. [*img]http://www.google.com[/img]" currently its trying to actually show the page as an image... (showing a failed image icon) but if this page was a .php page they could easily do pretty much anything they wanted. i mean i just now tried it on this forum and it doesnt allow it. Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted February 23, 2010 Share Posted February 23, 2010 well for example how do i go about not showing this.. [*img]http://www.google.com[/img]" currently its trying to actually show the page as an image... (showing a failed image icon) but if this page was a .php page they could easily do pretty much anything they wanted. i mean i just now tried it on this forum and it doesnt allow it. Two things...firstly, you would get a "failed" image icon if you do this kind of thing; what you're displaying isn't a valid image so it can't be displayed. Second, you'd need to change the extension of the php file to, say, .png and then configure your webserver to parse files with the extension .png as php files. Quote Link to comment Share on other sites More sharing options...
seany123 Posted March 1, 2010 Author Share Posted March 1, 2010 but for the above code AND also im using BBcode... if i use for example. [*img]test.php[/img] it will display the image as being broken... (but obviously it will have processed the .php page to see if it was a image.) meaning i could set anything inside test.php and it would run. so i need a way to stop file extensions like .php to be able to be used in img tags and some forms. Quote Link to comment Share on other sites More sharing options...
inversesoft123 Posted March 1, 2010 Share Posted March 1, 2010 $inputs = $_POST['avatar']; $extensionorig = end(explode('.', $inputs)); if ($extensionorig == 'jpg') { echo "ok"; } else if ($extensionorig == 'gif') { echo "ok"; } else if ($extensionorig == 'png') { echo "ok"; } else if ($extensionorig == 'jpeg') { echo "ok"; } else { echo "Invalid URL. only jpg, gif, png, jpeg links are allowed."; exit(); // or $flag++ as code termination is not a smart solution } Quote Link to comment Share on other sites More sharing options...
Spikerok Posted March 1, 2010 Share Posted March 1, 2010 <?php class myclass { public function __construct() { if(isset($_POST['submit'])) { myclass::check($_POST['link']); } myclass::form(); } private function check($link) { $link = explode(".", $link); switch($link[1]) { case 'jpg': print 'good'; break; case 'gif': print 'good'; break; case 'png': print 'good'; break; default: print 'incorrect format'; } } private function form() { print "<form action=\"\" method=\"post\">"; print "Image: <input name=\"link\" type=\"text\">"; print "<input type=\"submit\" name=\"submit\" value=\"submit\">"; print "</form>"; } } new myclass(); ?> Quote Link to comment Share on other sites More sharing options...
Dennis1986 Posted March 1, 2010 Share Posted March 1, 2010 Edit: nvm Quote Link to comment Share on other sites More sharing options...
seany123 Posted March 1, 2010 Author Share Posted March 1, 2010 $inputs = $_POST['avatar']; $extensionorig = end(explode('.', $inputs)); if ($extensionorig == 'jpg') { echo "ok"; } else if ($extensionorig == 'gif') { echo "ok"; } else if ($extensionorig == 'png') { echo "ok"; } else if ($extensionorig == 'jpeg') { echo "ok"; } else { echo "Invalid URL. only jpg, gif, png, jpeg links are allowed."; exit(); // or $flag++ as code termination is not a smart solution } that worked prefectly with the $_POST['avatar']; however how can i get it to work with BBcode? here is the code in BBcode.php which handles img tags // Images // [img=pathtoimage] $Text = preg_replace("/\[img\]http://(.+?)\[\/img\]/", '<img src="$1">', $Text); // [img=widthxheight]image source[/img] $Text = preg_replace("/\[img\=([0-9]*)x([0-9]*)\](.+?)\[\/img\]/", '<img src="$3" height="$2" width="$1">', $Text); Quote Link to comment Share on other sites More sharing options...
seany123 Posted March 2, 2010 Author Share Posted March 2, 2010 i tried this but it doesnt work: // Images // [img=pathtoimage] $inputs = $text; $extensionorig = end(explode('.', $inputs)); if ($extensionorig == 'jpg' || $extensionorig == 'png' || $extensionorig == 'gif' || $extensionorig == 'jpeg') { $Text = preg_replace("/\[img\](.+?)\[\/img\]/", '<img src="$1">', $Text); } // [img=widthxheight]image source[/img] $inputs = $text; $extensionorig = end(explode('.', $inputs)); if ($extensionorig == 'jpg' || $extensionorig == 'png' || $extensionorig == 'gif' || $extensionorig == 'jpeg') { $Text = preg_replace("/\[img\=([0-9]*)x([0-9]*)\](.+?)\[\/img\]/", '<img src="$3" height="$2" width="$1">', $Text); } return $Text; i just now found out that this doesnt work: $inputs = $text; $extensionorig = end(explode('.', $inputs)); if ($extensionorig == 'jpg' || $extensionorig == 'png' || $extensionorig == 'gif' || $extensionorig == 'jpeg') reason being that for example: http://s397.photobucket.com/albums/pp58/ht324b/mp/Hello/0ghello6942a.gif is a valid image but wont be allowed because it as .com Quote Link to comment Share on other sites More sharing options...
seany123 Posted March 2, 2010 Author Share Posted March 2, 2010 okay i changed it to this which works great: $filename = $_POST['avatar']; /*** get the path info ***/ $info = pathinfo($filename); if ($info['extension'] != 'jpg' && $info['extension'] != 'png' && $info['extension'] != 'gif' && $info['extension'] != 'jpeg') { But i still need to know how to add it the bbcode code. // Images // [img=pathtoimage] $Text = preg_replace("/\[img\](.+?)\[\/img\]/", '<img src="$1">', $Text); // [img=widthxheight]image source[/img] $Text = preg_replace("/\[img\=([0-9]*)x([0-9]*)\](.+?)\[\/img\]/", '<img src="$3" height="$2" width="$1">', $Text); return $Text; Quote Link to comment Share on other sites More sharing options...
seany123 Posted March 2, 2010 Author Share Posted March 2, 2010 still cant seem to make this work. Quote Link to comment Share on other sites More sharing options...
seany123 Posted March 5, 2010 Author Share Posted March 5, 2010 bump Quote Link to comment Share on other sites More sharing options...
Dennis1986 Posted March 5, 2010 Share Posted March 5, 2010 function _callback_img($match) { $FileString = $match[0]; if ($FileString != "") { $FilePointer = fopen($FileString, "r"); if (!$FilePointer) { return '[invalid IMG]'; } else { $FileHeaders = stream_get_meta_data($FilePointer); $imageType = false; foreach ($FileHeaders as $FileHeader) { foreach ($FileHeader as $HeaderValue) { if (strpos(strtolower($HeaderValue), "image/")) { $imageType = $HeaderValue; } } } if ($imageType){ return "<img src='$FileString'>"; } else { return '[invalid IMG]'; } } } else { return '[invalid IMG]'; } } // $Text = preg_replace("/\[img\]http://(.+?)\[\/img\]/", '<img src="$1">', $Text); $Text = preg_replace_callback("/\[img\](.+?)\[\/img\]/", '_callback_img', $Text); // [img=widthxheight]image source[/img] $Text = preg_replace("/\[img\=([0-9]*)x([0-9]*)\](.+?)\[\/img\]/", '<img src="$3" height="$2" width="$1">', $Text); I'm not 100% sure if that works (not tested), but I guess you could start from there. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.