Page 1 of 1

Limit resample image path with get request.

Posted: Mon Jan 15, 2007 7:02 pm
by WaldoMonster
I want to limit resample images from a website or a local images directory.
The $image variable is coming from a get request.

Is it enough to check the left side (line 4 & 5) of the $image request?
Can this be tricked with some escape characters?
If so is there something similar to mysqli_real_escape_string or escapeshellarg() for the ImageCreateFromJpeg() function?

Code: Select all

function ResampleImage($image, $size)
{
authenticate('access_config');
if (substr($image, 0, 7) != 'http://' &&
    substr($image, 0, 7) != 'images/') exit();

header('Content-type: image/jpeg');

$extension = substr(strrchr($image, '.'), 1);
$extension = strtolower($extension);
if ($extension == 'jpg')	$src_image = @ImageCreateFromJpeg($image) or exit();
elseif ($extension == 'png') $src_image = @ImageCreateFromPng($image) or exit();
elseif ($extension == 'gif') $src_image = @ImageCreateFromGif($image) or exit();
else exit();

// etc…
}

Posted: Mon Jan 15, 2007 7:05 pm
by feyd
What if it's https or ftp or some other protocol?

realpath() should be useful.

Posted: Mon Jan 15, 2007 7:26 pm
by WaldoMonster
I don’t need another protocol for my program.
Manly I want to resample images from some websites like http://images.amazon.com/images/….
And some local images like image/image.gif.
Mabe it is better to sum up the local images in a array() an use in_array().

Posted: Tue Jan 16, 2007 2:28 am
by Mordred
I fail to see the purpose of this check, feyd already pointed the problem with the local filenames, and checking if something comes from this or that protocol is pretty useless.

Forget about "local images in a array()", just make sure (realpath + dirname) that it's the correct directory and that the file is is_readable()

Posted: Tue Jan 16, 2007 5:53 am
by WaldoMonster
Mordred wrote:I fail to see the purpose of this check, feyd already pointed the problem with the local filenames,
Ok
Mordred wrote:and checking if something comes from this or that protocol is pretty useless.
This is needed because I want to resample images from other web sites like:
http://images-eu.amazon.com/...
http://images.amazon.com/...
etc..
Mordred wrote:Forget about "local images in a array()", just make sure (realpath + dirname) that it's the correct directory and that the file is is_readable()
Ok, now I see it is indeed a goog idea :oops: