All PHP Programmers - Problem with Script, support please.

Discussion in 'Web Design and Development' started by JelvisChan, Nov 7, 2009.

  1. JelvisChan macrumors member

    Joined:
    Jan 9, 2009
    #1
    Hello everyone, I have a question about this PHP Script that I have.

    The script is involved with a guestbook. I have a textbox that is named image.

    When you submit the form, the text goes into a database, and the post is viewed on the guestbook homepage. This is a typical, normal guestbook.
    What I want to do is allow the user to add images to it with <img src="...">

    What I tried doing was this:

    <b>IMAGE:</b>
    <img src="<?php echo $row['image']; ?>"> </div>

    ['image'] is the name of the textbox where you put the image location

    I thought that this would be like this:

    -Say I entered an image at www.example.com/image.png
    -The script would translate this as:
    <img src="www.example.com/image.png">

    I tried the script out, but it doesn't work.

    Does anyone have any ideas to what could be wrong?

    Thanks,

    Jelvis
     
  2. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #2
    I think it would also need the http:// part as well. You need to be really careful about allowing this though. You could become victim of remote file inclusion attacks very easily when you start letting people embed data from other sites that you do not control. They could link in a malicious image file that executes code on your web site, or if you don't even check the file extension they could link to a PHP file. Someone could do some serious damage to your web site needless to say. Image exploit. You have been warned, so don't become a victim.

    You'd be better off getting them to upload an image, then test the image and if all is good, have the image embedded onto the guest book post and reference the image locally from your site.
     
  3. tschoftner macrumors member

    tschoftner

    Joined:
    Apr 14, 2007
    Location:
    Austria
    #3
    Yep, definitely insert "http://" before the www
     
  4. JelvisChan thread starter macrumors member

    Joined:
    Jan 9, 2009
  5. rowsdower macrumors 6502

    Joined:
    Jun 2, 2009
    #5
    On top of all that, someone could easily close the image tag and put literally anything on the page.
     
  6. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #6
    Either force them to enter the http: part or you add it yourself. Here's some sample code you can look at. I haven't tested it all though, and doesn't protect against all potential exploits. I'd personally still avoid letting them link images.

    PHP:
    $imgsrc $row['image'];
    $error false;

    // Add http:// part if it wasn't supplied
    if (substr($imgsrc04) != 'http') {
      
    $imgsrc 'http://' $imgsrc;
    }
    // Basic check if image url is in correct format
    if (!preg_match('!^http://(www\.)?[A-Za-z][\w\.-]+\.[A-Za-z]{2,4}/[\w~%+/-]+\w\.(jpg|png|gif)!i'$imgsrc)) {
      
    // image url badly formed, do something, and don't use image source in code
      
    $error true;
    }
    // See if image really exist
    if (checkRemoteFile($imgsrc) && !$error) {
      
    // then remote image exist
      
    echo '<img src="'$imgsrc'">';
    }

    // From: http://php.net/manual/en/function.getimagesize.php
    function checkRemoteFile($url)
    {
        
    $ch curl_init();
        
    curl_setopt($chCURLOPT_URL,$url);
        
    // don't download content
        
    curl_setopt($chCURLOPT_NOBODY1);
        
    curl_setopt($chCURLOPT_FAILONERROR1);
        
    curl_setopt($chCURLOPT_RETURNTRANSFER1);

        if (
    curl_exec($ch)!==FALSE) {
            return 
    true;
        }
        else {
            return 
    false;
        }
    }
     
  7. JelvisChan thread starter macrumors member

    Joined:
    Jan 9, 2009
    #7
    Thank you all very much!
    I will look into all your code!

    Jelvis
     

Share This Page