Jump to content

Using php rewquest to display image

phillips321

By phillips321
in PHP Coding Help

Recommended Posts

phillips321 Member

phillips321

Posted
Posted

Hi guys,

 

I have images stored in the directory "/uploads/*********.jpg"

 

Rather than link directly to the image i would much rather be able to display the image on a webpage with some other html, i.e. www.example.com/image.php?i=******

 

I'm pretty sure i could easily write this code but how do i go about securing the image variable passed to the server in the address field?

 

i wouldn't want the user to change the 'i' value to something like "../../../home/user/"

 

All of the names of the images are stored using a unix time stamp, e.g. 1195208745.jpg, 1195202879.jpg

 

Any idea on what im trying to achieve guys?

 

Many thanks

 

Sorry for any typos etc.. it's too early in the morning and i'm shattered :(

Link to comment
https://forums.phpfreaks.com/topic/78202-using-php-rewquest-to-display-image/
Share on other sites
BenInBlack Newbie

BenInBlack

Posted
Posted

here a quick hacked image.php for ya

<?php 
ob_start();
session_start();

$path = '/uploads/';
$ext = '.jpg';
$filename = $path.$_POST['I'].$ext;

$contents = file_get_contents($filename);

ob_clean();
header("Content-type: image/jpg");
echo $contents;

?>

 

you would call it like

<img src="/image.php?I=1195208745">

rajivgonsalves Newbie

rajivgonsalves

Posted
Posted

ob_start starts the output buffer so no data is sent to the browser till the script executes fully ob_clean clears the contents of the buffer so the output buffer does not get sent to the client, for the POST variable what type of validation do you require

rajivgonsalves Newbie

rajivgonsalves

Posted
Posted

well looking at the code it does not matter it would only generate into an error

 

however as you requested you can try this

 

<?php 

if (isset($_POST['I']) && preg_match("/\d{10}/",$_POST['I']))
{ 
$path = '/uploads/';
$ext = '.jpg';
$filename = $path.$_POST['I'].$ext;

$contents = file_get_contents($filename);

header("Content-type: image/jpg");
echo $contents;
}
?>

phillips321 Member

phillips321

Posted
  • Author
Posted

For some reason the following block of code doesn't work(extra crap stripped out)

<html>
<head>
<title>ForumPix.co.uk - Upload your pictures for free and host them anywhere!</title>
</head>
<body>
<?php
$filename = $_POST['I'];
echo $filename;
echo '<IMG src="/uploads/'.$filename.'.jpg">';
?>
</center>
</body>
</html>

the output is a blank page with an image box that points to "http://www.forumpix.co.uk/uploads/.jpg"

even the echo $filename; line doesnt output anything so i guess there is a fault with getting from address line?

 

P.s. address line tested was "http://www.forumpix.co.uk/image_test.php?I=00000003", i have confirmed that the image /uploads/00000003.jpg exists

 

phillips321 Member

phillips321

Posted
  • Author
Posted

the preg_match("/\d{10}/",$_POST['I']) line doesn't work at all (it wont execute the true if block of code)

 

if i remove it from the if variables i can produce the following issue:

by using the address line "www.domain.tld/image.php?I=../test.jpg" i can browse up a directory from the uploads folder

 

any ideas on howto secure it?

 

<?php
$image = $_GET['I'];
if (isset($image)){
echo '<IMG src="/uploads/'.$image.'.jpg">';
}
else{
echo '<IMG src="error.jpg">';
}
?>

pkSML Newbie

pkSML

Posted
Posted

Secure it? Yes. This is easy, actually!

 

<?php
$folder = "./uploads/"; // Must have a trailing slash
$file = $_GET['I']; // Image number/name

$path_parts = pathinfo($file); // This will strip these: ../ ./

$filename = "{$folder}{$path_parts[basename]}";

if (!file_exists($filename)) {die("File doesn't exist.");}
else{
if ($path_parts[extension] == "jpg") {header('Content-type: image/jpeg'); // Output header}
elseif ($path_parts[extension] == "png") {header('Content-type: image/png'); // Output header}
elseif ($path_parts[extension] == "gif") {header('Content-type: image/gif'); // Output header}
elseif ($path_parts[extension] == "jpeg") {header('Content-type: image/jpeg'); // Output header}
header('Content-length: ' . filesize($filename)); 
readfile($filename); 
}
?>

 

You'll need to put the extension in the query string for this to work.

 

If you saved this script as image.php in your root WWW directory, here's how your HTML should look: 

<img src="/image.php?I=000000004.jpg">

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.