Menu
I have a page where people can link to their pictures.
I have a script to process this and make sure that the link is actually an image. This is done through getimagesize().
However, my new webserver does not allow getimagesize to be used on an URL and I don’t know why.
Are there any other solution to make sure that a specified URL is a real image?
PS. This is the error I get
[code]
Warning: getimagesize() [function.getimagesize] URL file-access is disabled in the server configuration
Any help is greatly appriciated.
Ok, thanks for your help.
I will talk to the host to see if they can activate allow_url_fopen.[/QUOTE]
Well, they refuse to turn on allow_url_fopen but they agreed to cURL, so I will handle the problem with curl.
Thanks for your help.[/QUOTE]
[code=php]
// Get an image from an url
function imgfromurl($url, $destroy = 1, $tar = null) {
$headers[0] = "Accept: image/gif, image/jpeg, image/png";
$ch = curl_init();
// Path
curl_setopt($ch, CURLOPT_URL, $url);
// No headers
curl_setopt($ch, CURLOPT_HEADER, 0);
// Only the file
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
// User agents to mimic a browser
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10');
// Binary transfer
curl_setopt($ch, CURLOPT_BINARYTRANSFER, 1);
$raw = curl_exec($ch);
curl_close($ch);
// Check for 404 errors
if (preg_match('/404/is', $raw))
die("Invalid image url.");
$time = time();
// See if it ends on jp(e)g, gif or png
if (preg_match('/s*((https?|ftp)://S+[.S+]+.jpe?g)s*/is', $url))
$fname = "temp".$time.".jpg";
else if (preg_match('/s*((https?|ftp)://S+[.S+]+.gif)s*/is', $url))
$fname = "temp".$time.".gif";
else if (preg_match('/s*((https?|ftp)://S+[.S+]+.png)s*/is', $url))
$fname = "temp".$time.".png";
else
die("Invalid file type.");
// Any extra directory
$fname = $tar.$fname;
// Create file
$fp = fopen($fname, "w+");
fwrite($fp, $raw);
fclose($fp);
// File size
$size = filesize($fname);
$size = $size/1024;
@getimagesize($fname) or die("Invalid file type.");
// Get image size
$info = getimagesize($fname);
// Delete the file
if ($destroy)
unlink($fname);
array_push($info, $size);
return $info;
}
// Usage
$URL = "http://example.com/image.jpg";
list($width, $height, $type, $attr, $size) = imgfromurl($URL);
// From here you can do your own security checks
[/code]
Btw, can something similar be used to import xml documents from urls? [/QUOTE]yep! ?
[CODE]http://www.site.com/script.php/image.jpg[/CODE]
so, I do not keep the uploaded file, I only use it in an <img> tag. What kind of security issues are there, and how can I prevent it[/QUOTE]
[code=php]
$url = "myfile.xml";
$file = new DOMDocument();
$file->load("$url");
[/code]
[code=php]
//eg
//$_FILES['uploadedfile']['name']='file.jpg';
//$_FILES['uploadedfile']['name']='file.jpg.php';
$whitelist=array('gif','jpg','png');
foreach($whitelist as $ext){
if(preg_match('/.'.$ext.'$/i',$_FILES['uploadedfile']['name']))$accept=1;
}
if(isset($accept)){
echo 'accept';
}else{
echo 'reject';
}[/code]
[CODE]
script.php?imageid=123
image.jpg/123[/CODE]
[code=html]<img src="http://anysite.com/script.php?imgid123" />[/code]
0.1.9 — BETA 5.29