All PHP Programmers - Problem with Script, support please.

[JelvisChan]

Hello everyone, I have a question about this PHP Script that I have.

The script is involved with a guestbook. I have a textbox that is named image.

When you submit the form, the text goes into a database, and the post is viewed on the guestbook homepage. This is a typical, normal guestbook.
What I want to do is allow the user to add images to it with <img src="...">

What I tried doing was this:

<b>IMAGE:</b>
<img src="<?php echo $row['image']; ?>"> </div>

['image'] is the name of the textbox where you put the image location

I thought that this would be like this:

-Say I entered an image at www.example.com/image.png
-The script would translate this as:
<img src="www.example.com/image.png">

I tried the script out, but it doesn't work.

Does anyone have any ideas to what could be wrong?

Thanks,

Jelvis

 

[angelwatt]

I think it would also need the http:// part as well. You need to be really careful about allowing this though. You could become victim of remote file inclusion attacks very easily when you start letting people embed data from other sites that you do not control. They could link in a malicious image file that executes code on your web site, or if you don't even check the file extension they could link to a PHP file. Someone could do some serious damage to your web site needless to say. Image exploit. You have been warned, so don't become a victim.

You'd be better off getting them to upload an image, then test the image and if all is good, have the image embedded onto the guest book post and reference the image locally from your site.

 

[tschoftner]

Yep, definitely insert "http://" before the www

 

[JelvisChan]

yea but whats the code guys?

 

[rowsdower]

I think it would also need the http:// part as well. You need to be really careful about allowing this though. You could become victim of remote file inclusion attacks very easily when you start letting people embed data from other sites that you do not control. They could link in a malicious image file that executes code on your web site, or if you don't even check the file extension they could link to a PHP file. Someone could do some serious damage to your web site needless to say. Image exploit. You have been warned, so don't become a victim.

You'd be better off getting them to upload an image, then test the image and if all is good, have the image embedded onto the guest book post and reference the image locally from your site.

On top of all that, someone could easily close the image tag and put literally anything on the page.

 

[angelwatt]

yea but whats the code guys?

Either force them to enter the http: part or you add it yourself. Here's some sample code you can look at. I haven't tested it all though, and doesn't protect against all potential exploits. I'd personally still avoid letting them link images.

$imgsrc = $row['image'];
$error = false;

// Add http:// part if it wasn't supplied
if (substr($imgsrc, 0, 4) != 'http') {
  $imgsrc = 'http://' . $imgsrc;
}
// Basic check if image url is in correct format
if (!preg_match('!^http://(www\.)?[A-Za-z][\w\.-]+\.[A-Za-z]{2,4}/[\w~%+/-]+\w\.(jpg|png|gif)!i', $imgsrc)) {
  // image url badly formed, do something, and don't use image source in code
  $error = true;
}
// See if image really exist
if (checkRemoteFile($imgsrc) && !$error) {
  // then remote image exist
  echo '<img src="', $imgsrc, '">';
}

// From: http://php.net/manual/en/function.getimagesize.php
function checkRemoteFile($url)
{
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,$url);
    // don't download content
    curl_setopt($ch, CURLOPT_NOBODY, 1);
    curl_setopt($ch, CURLOPT_FAILONERROR, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

    if (curl_exec($ch)!==FALSE) {
        return true;
    }
    else {
        return false;
    }
}

 

[JelvisChan]

Thank you all very much!
I will look into all your code!

Jelvis