tags:

views:

49

answers:

4
Q: 

How is $_GET set in this image-resize code?

Hello,

I am working with a script for resizing images. I seem to be getting an error:

Error: no image was specified
Probably because of this code in the script(image.php): 

    if (!isset($_GET['image']))
    {
        header('HTTP/1.1 400 Bad Request');
        echo 'Error: no image was specified';
        exit();

}

Here is what I'm doing(profile.php): 

$your_image = $row['Image'];
$path_to_image = $row['PortraitPath'];
$width = 100;
$height = 100;

echo "<img src=\'/image.php/{$your_image}?width={$width}&amp;height={$height}&amp;cropratio=1:1&amp;image={$path_to_img}\' alt=\'Alt text goes here.\' />";

Therefore, I am reading $your_image and $path_to_image from a MySQL table, and then putting it in the img source. As mentioned above, obviously, image is not set, that is why I am getting that first error. What I don't get is, how will the image actually even be set with my img src code? Aren't I simply displaying the actual image? Then how will image even be set if a picture is simply being displayed? Thank you.

A: 

The URl for the image contains ?foo=bar&this=that&image=path. These variables will be passed to the image.php script in the $_GET array.

Sjoerd  2010-07-21 20:01:53
And the actual answer is?
Wrikken  2010-07-21 20:03:13
A: 

If you want to source a php file instead an image, you need to tell your php file that the output will be an image. You can do this using the php header() function, like this: 

header('Content-type: image/jpeg');

Here is some reference: php header function

About the address you are point to, isn't a bit weird? You have a slash right after the .php, which suggest that you are trying to access some folder... Did you tested this url to see if a real image are being outputted on the screen?

Hope this can help you =)

Fabiano  2010-07-21 20:11:16
A: 

As a word of warning, in your profile.php's code I saw this fragment:

image={$path_to_img}

Depending on how you deal with the value of $_GET['image'] this may result in a RFI vulnerability. The user could forge a GET request to image.php with their own "image" path.

sigint  2010-07-21 20:18:02
A: 

A couple things that I noticed, I'm not sure how much of the code you modified before posting it here...

1a) Don't escape the single quotes if you are using double quotes to encompass it.

OR

1b) Change the escaped single quotes to escaped double quotes.

2) In the URL you are using $path_to_img but the variable you have defined is $path_to_image. Make them consistent.

pferate  2010-07-22 00:59:09

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL