Hey all, I have been working on a custom photo application and am getting close to finishing up my 1.0 version. My question today is can anybody think of any possible exploits to this design?
The image serving portion utilizes the URL instead of passing paramters. Ex: /image/1234/200 instead of /image?id=1234&size=200
It ends up looking like this:
photography.jeffknox.com/image/220003/t
photography.jeffknox.com/image/220003/200
photography.jeffknox.com/image/220003/400
photography.jeffknox.com/image/220003
The "t" in the first link is shorthand for a thumbnail. I see I have a bug in the default sized last one. It should be 600 px wide. I was doing some work on that code and need to check my answers.
A bad link or unknown ID results in a missing image:
photography.jeffknox.com/image/xxx/400
So my question today is, can anybody think of any issues with this method of serving images? I'm using prepared statements and cleaning input so there shouldn't be any SQL injection issues.
Thanks
Edit: Fixed default size bug.
The image serving portion utilizes the URL instead of passing paramters. Ex: /image/1234/200 instead of /image?id=1234&size=200
It ends up looking like this:
photography.jeffknox.com/image/220003/t
photography.jeffknox.com/image/220003/200
photography.jeffknox.com/image/220003/400
photography.jeffknox.com/image/220003
The "t" in the first link is shorthand for a thumbnail. I see I have a bug in the default sized last one. It should be 600 px wide. I was doing some work on that code and need to check my answers.
A bad link or unknown ID results in a missing image:
photography.jeffknox.com/image/xxx/400
So my question today is, can anybody think of any issues with this method of serving images? I'm using prepared statements and cleaning input so there shouldn't be any SQL injection issues.
Thanks
Edit: Fixed default size bug.
Last edited: