phillips321 Posted November 21, 2007 Share Posted November 21, 2007 Hi guys, I have images stored in the directory "/uploads/*********.jpg" Rather than link directly to the image i would much rather be able to display the image on a webpage with some other html, i.e. www.example.com/image.php?i=****** I'm pretty sure i could easily write this code but how do i go about securing the image variable passed to the server in the address field? i wouldn't want the user to change the 'i' value to something like "../../../home/user/" All of the names of the images are stored using a unix time stamp, e.g. 1195208745.jpg, 1195202879.jpg Any idea on what im trying to achieve guys? Many thanks Sorry for any typos etc.. it's too early in the morning and i'm shattered Quote Link to comment Share on other sites More sharing options...
BenInBlack Posted November 21, 2007 Share Posted November 21, 2007 here a quick hacked image.php for ya <?php ob_start(); session_start(); $path = '/uploads/'; $ext = '.jpg'; $filename = $path.$_POST['I'].$ext; $contents = file_get_contents($filename); ob_clean(); header("Content-type: image/jpg"); echo $contents; ?> you would call it like <img src="/image.php?I=1195208745"> Quote Link to comment Share on other sites More sharing options...
phillips321 Posted November 22, 2007 Author Share Posted November 22, 2007 what do these commands do? ob_start(); ob_clean(); there doesn't seem to be any verification/validation on the $_POST['I'] Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted November 22, 2007 Share Posted November 22, 2007 ob_start starts the output buffer so no data is sent to the browser till the script executes fully ob_clean clears the contents of the buffer so the output buffer does not get sent to the client, for the POST variable what type of validation do you require Quote Link to comment Share on other sites More sharing options...
phillips321 Posted November 22, 2007 Author Share Posted November 22, 2007 i need to make sure that a user doesn't enter "image.php?I=../../../../" or I=[user code here] the image name will only ever be in a unix time format, no letters or special characters Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted November 22, 2007 Share Posted November 22, 2007 well looking at the code it does not matter it would only generate into an error however as you requested you can try this <?php if (isset($_POST['I']) && preg_match("/\d{10}/",$_POST['I'])) { $path = '/uploads/'; $ext = '.jpg'; $filename = $path.$_POST['I'].$ext; $contents = file_get_contents($filename); header("Content-type: image/jpg"); echo $contents; } ?> Quote Link to comment Share on other sites More sharing options...
phillips321 Posted November 22, 2007 Author Share Posted November 22, 2007 For some reason the following block of code doesn't work(extra crap stripped out) <html> <head> <title>ForumPix.co.uk - Upload your pictures for free and host them anywhere!</title> </head> <body> <?php $filename = $_POST['I']; echo $filename; echo '<IMG src="/uploads/'.$filename.'.jpg">'; ?> </center> </body> </html> the output is a blank page with an image box that points to "http://www.forumpix.co.uk/uploads/.jpg" even the echo $filename; line doesnt output anything so i guess there is a fault with getting from address line? P.s. address line tested was "http://www.forumpix.co.uk/image_test.php?I=00000003", i have confirmed that the image /uploads/00000003.jpg exists Quote Link to comment Share on other sites More sharing options...
phillips321 Posted November 22, 2007 Author Share Posted November 22, 2007 just checked and it should be "_GET" not "_POST", working fine now, Cheers for your help Quote Link to comment Share on other sites More sharing options...
phillips321 Posted November 22, 2007 Author Share Posted November 22, 2007 the preg_match("/\d{10}/",$_POST['I']) line doesn't work at all (it wont execute the true if block of code) if i remove it from the if variables i can produce the following issue: by using the address line "www.domain.tld/image.php?I=../test.jpg" i can browse up a directory from the uploads folder any ideas on howto secure it? <?php $image = $_GET['I']; if (isset($image)){ echo '<IMG src="/uploads/'.$image.'.jpg">'; } else{ echo '<IMG src="error.jpg">'; } ?> Quote Link to comment Share on other sites More sharing options...
pkSML Posted November 22, 2007 Share Posted November 22, 2007 Secure it? Yes. This is easy, actually! <?php $folder = "./uploads/"; // Must have a trailing slash $file = $_GET['I']; // Image number/name $path_parts = pathinfo($file); // This will strip these: ../ ./ $filename = "{$folder}{$path_parts[basename]}"; if (!file_exists($filename)) {die("File doesn't exist.");} else{ if ($path_parts[extension] == "jpg") {header('Content-type: image/jpeg'); // Output header} elseif ($path_parts[extension] == "png") {header('Content-type: image/png'); // Output header} elseif ($path_parts[extension] == "gif") {header('Content-type: image/gif'); // Output header} elseif ($path_parts[extension] == "jpeg") {header('Content-type: image/jpeg'); // Output header} header('Content-length: ' . filesize($filename)); readfile($filename); } ?> You'll need to put the extension in the query string for this to work. If you saved this script as image.php in your root WWW directory, here's how your HTML should look: <img src="/image.php?I=000000004.jpg"> Quote Link to comment Share on other sites More sharing options...
pkSML Posted November 22, 2007 Share Posted November 22, 2007 Script is much improved here --> http://code-bin.homedns.org/64 Same usage. Ex: image.php?I=1234567890.jpg Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.