Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Where $img is user-defined (probably a $_GET value with the quotes stripped) Would this in any way compromise security?
The only way I see this being a problem is if a malicious user makes an unsuspecting victim click a link with some malicious content in the URL query to try to compromise him, but I don't use cookies on this site at all so there is no issue of stealing sessions.
Even if you strip single quotes, IE 6 is still vulnerable to <img src="javascript:alert(String.fromCharCode(88,83,83)" /> and others (from http://ha.ckers.org/xss.html)
Worse, the things <img> embeds need not be images. A user could embed http://www.yoursite.com/logout.php and log everyone out, or do much worse things. Even if you check for a valid image extension, the attacker could use http://www.yoursite.com/logout.php?.jpg or an image on their server which uses htaccess to redirect requests. Were you to program some way to check MIME types and status codes for the image, the attacker could just serve one thing to your server and the attack to everyone else.
Check for a valid image extension and hope you don't make anyone competent angry.
If the attacker wants to implement his redirect anyway why would he use my site in the first place? He will just manuver the victim to click on his own link.
Note that I am not allowing a user to define what image is seen by everyone, it's not like a forum post or something. It's as simple as http://www.example.com/gallery.php?img=spongebob results in 'spongebob.jpg' being displayed. It's just a personal GET query. Nothing server wide. According to me the only way to exploit this is to make a victim click a link that has something evil in the GET url, because the attacker can do nothing by hacking his own front-end.
Edit: cut you made a good point. I shall check for image extensions. Thanks.
Good point. I think I'll just make a database of ID to URL mapping and implement something like gallery.php?id=4 so that I know for sure what the outcome will be.