Jump to content

Recommended Posts

Hi guys,


I have images stored in the directory "/uploads/*********.jpg"


Rather than link directly to the image i would much rather be able to display the image on a webpage with some other html, i.e. www.example.com/image.php?i=******


I'm pretty sure i could easily write this code but how do i go about securing the image variable passed to the server in the address field?


i wouldn't want the user to change the 'i' value to something like "../../../home/user/"


All of the names of the images are stored using a unix time stamp, e.g. 1195208745.jpg, 1195202879.jpg


Any idea on what im trying to achieve guys?


Many thanks


Sorry for any typos etc.. it's too early in the morning and i'm shattered :(

Link to comment
Share on other sites

here a quick hacked image.php for ya


$path = '/uploads/';
$ext = '.jpg';
$filename = $path.$_POST['I'].$ext;

$contents = file_get_contents($filename);

header("Content-type: image/jpg");
echo $contents;



you would call it like

<img src="/image.php?I=1195208745">

ob_start starts the output buffer so no data is sent to the browser till the script executes fully ob_clean clears the contents of the buffer so the output buffer does not get sent to the client, for the POST variable what type of validation do you require

well looking at the code it does not matter it would only generate into an error


however as you requested you can try this



if (isset($_POST['I']) && preg_match("/\d{10}/",$_POST['I']))
$path = '/uploads/';
$ext = '.jpg';
$filename = $path.$_POST['I'].$ext;

$contents = file_get_contents($filename);

header("Content-type: image/jpg");
echo $contents;

For some reason the following block of code doesn't work(extra crap stripped out)

<title>ForumPix.co.uk - Upload your pictures for free and host them anywhere!</title>
$filename = $_POST['I'];
echo $filename;
echo '<IMG src="/uploads/'.$filename.'.jpg">';

the output is a blank page with an image box that points to "http://www.forumpix.co.uk/uploads/.jpg"

even the echo $filename; line doesnt output anything so i guess there is a fault with getting from address line?


P.s. address line tested was "http://www.forumpix.co.uk/image_test.php?I=00000003", i have confirmed that the image /uploads/00000003.jpg exists


the preg_match("/\d{10}/",$_POST['I']) line doesn't work at all (it wont execute the true if block of code)


if i remove it from the if variables i can produce the following issue:

by using the address line "www.domain.tld/image.php?I=../test.jpg" i can browse up a directory from the uploads folder


any ideas on howto secure it?


$image = $_GET['I'];
if (isset($image)){
echo '<IMG src="/uploads/'.$image.'.jpg">';
echo '<IMG src="error.jpg">';

Secure it? Yes. This is easy, actually!


$folder = "./uploads/"; // Must have a trailing slash
$file = $_GET['I']; // Image number/name

$path_parts = pathinfo($file); // This will strip these: ../ ./

$filename = "{$folder}{$path_parts[basename]}";

if (!file_exists($filename)) {die("File doesn't exist.");}
if ($path_parts[extension] == "jpg") {header('Content-type: image/jpeg'); // Output header}
elseif ($path_parts[extension] == "png") {header('Content-type: image/png'); // Output header}
elseif ($path_parts[extension] == "gif") {header('Content-type: image/gif'); // Output header}
elseif ($path_parts[extension] == "jpeg") {header('Content-type: image/jpeg'); // Output header}
header('Content-length: ' . filesize($filename)); 


You'll need to put the extension in the query string for this to work.


If you saved this script as image.php in your root WWW directory, here's how your HTML should look:

<img src="/image.php?I=000000004.jpg">

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.