Now, in image.php : ...">
All geek questions in one place

Can I "echo" a .jpg image through php without processing it?

Imagine the following:

<img src="/image.php?image=5.jpg" />

Now, in image.php :

 header('content-type: image/jpeg'); $image = imagecreatefromjpeg($_GET['image']); imagejpeg($image,NULL,100);

This works, but this way the script loads the image, processes it, and then repeats it. Can this be done without image processing?

The reason I want to do this is because I donโ€™t want people to know where the images are located, so I donโ€™t want to write the full path to the img src attribute.

I just need to send the raw images to the browser, but not showing their true location.

+6
source share
3 answers

Yes, you can. Just readfile instead of imagecreatefromXXX + imagejpeg .

 header('Content-Type: image/jpeg'); $src = /* process $_GET['image'] to recover the path */; readfile($src);

The /* process $_GET['images'] to recover the path */ implies any disinfection that you need to do at the entrance to avoid having someone request a forbidden file. If your script entry is the path to the file, this may mean checking from a predefined list, removing possible directory delimiters, checking for regular expression, etc. Another way is to store the paths inside the database and pass script a simple identifier and restore the path to it. This might be a better idea, as users will not mention any file path to the script URL (if you just pass the path, people can actually guess where the files are and what you are trying to prevent).

+11
source

Of course using readfile . Remember to limit the names of allowed images. Otherwise, you will create a directory traversal vulnerability.

 header('content-type: image/jpeg'); $img = preg_replace('/[^0-9a-z\._\-]/', '_', $_GET['image']); readfile($img);
+10
source

Something like http://www.php.net/manual/en/function.readfile.php

In the example

 <?php $file = 'monkey.gif'; if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename='.basename($file)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: ' . filesize($file)); ob_clean(); flush(); readfile($file); exit; } ?>
+2
source

Source: https://habr.com/ru/post/895085/

More articles:


All Articles