Hide PHP variables in the html?

[ttmt]

 

Hide PHP variables in the html?

 

Hi all

 

I've started working again on this type testing thing

 

http://www.ttmt.org.uk/forum/index.php

 

The text, size and font to use are past to a php function that uses the GD library

to create the image using the font at the set size.

 

My problem is from the source code of the page I can see the location of the fonts

which I can't have - I don't want people to be able to download the fonts.

 

<img src="imageftt.php?text=Handgloves&size=24&font=/fonts/corbelb.ttf">    </div>

 

How can I hide the variables in the html code or hide the location of the fonts.

 

Any help would be greatly appreciated.

 

html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

<title>untitled</title>
<link rel="stylesheet" href="style.css" type="text/css" />
</head>

<body>
  <div id="wrap">
    <form action="index.php" method="post">
      <select name="text" >
        <option value="<?php echo $_POST['text'];?>">Text</option>
        <option value="ABCDEFGHJIKLMNOPQRSTUVWXYZ">ABCDEFGHIJKLMNOPQRSTUVWXYZ</option>
        <option value="abcdefghijklmnopqrstuvwxyz">abcdefghijklmnopqrstuvwxyz</option>
      </select>
      <select name="size">
        <option value="<?php echo $_POST['size'];?>">Size</option>
        <option value="31">30</option>
        <option value="48">48</option>
        <option value="72">72</option>
        <option value="84">84</option>
        <option value="108">108</option>
      </select>  
      <input type="submit" name="submit" value="Set →" />
    </form>
    
    <div id="top">
    	<?php 
    	  $theFont="/fonts/corbelb.ttf";
      	if(!empty($_POST['submit'])){
    	    $myText = $_POST['text'];
      	  $mySize = $_POST['size'];
      	  echo '<img src="imageftt.php?text='.$myText.'&size='.$mySize.'&font='.$theFont.'">';
      	}else{
      	  $myText = "Handgloves";
      	  $mySize = 24;
      	  echo '<img src="imageftt.php?text='.$myText.'&size='.$mySize.'&font='.$theFont.'">';
      	}
    	?>
    </div>
  </div>
</body>
</html>

 

 

PHP

<?php
        
header('Content-Type: image/png');

$im = imagecreatetruecolor(1000, 200);

$gray = imagecolorallocate($im, 240, 240, 240);
$black = imagecolorallocate($im, 0, 0, 0);
imagefilledrectangle($im, 0, 0, 1000, 199, $gray);
    
  $text = $_GET['text'];
$textSize = $_GET['size'];
$font = $_GET['font'];
	  
  imagefttext($im, $textSize, 0, 15, 160, $black, $font, $text);		

imagepng($im);

imagedestroy($im);

?>

 

 

[ManiacDan]

Move the fonts outside of your webroot so that even if they can see the font location they cannot download them.

[ttmt]

That's sounds like it would work - how would I address the fonts outside the my web root. What would the path be.

[ManiacDan]

Wherever you plan on putting them.

[requinix]

Change the URL to something like

&font=corbelb

 

Then your script

1. Checks that the font name is valid. Try ctype_alpha

2. Constructs the path name, like

$path = $_SERVER["DOCUMENT_ROOT"] . "/../fonts/" . $_GET["font"] . ".ttf";

(if you put the /fonts directory one level below your web root)

3. Checks that the font file exists

 

If all that works then you can proceed, otherwise you can't and should do something else. Maybe die(), thus creating an invalid image, or more creatively you can output a warning in a small image.