Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Generating thumbnails on-the-fly: is this secure?
  • Rob McCannRob McCann
    I want to resize images to thumbnails when they're loaded the first time and then store/cache that file for later. Here's the solution that I've come up with so far: http://scrp.at/aei the files are stored in public/files when the user uploads them. the url to autoresize is http://example.com/files/images/100/150/myfilename.jpg
    where 100 is the width, 150 is the height and myfilename.jpg is the name of the saved_as given by the upload class. My question is: is it safe to map these parameters to the file system, is there a chance of attack? Also, would it make sense to make the Image class use areas like the files class?
  • huglesterhuglester
    I use such technique all the time. I use int() for width, height params, for quality also, just to be more secure :) But from your scrap, I can see that you do not save thumbs, you output them, so it's resourse-heavy to resize them all the time, what you need to do is:
    grab url, check for image sizes, etc. then you need ot check if file_exists() (thumb), to know if thumbnail already generated, and then output it to browser, if no thumb yet - then resize, save and output I use technics like this: /images/108_de4a780fe42066e308fd890dcfc8b035.jpg_thumb_99x109x80x0xA.png , benefts: as you can see the prefix: 108_de4a780fe42066e308fd890dcfc8b035.jpg - so it's easy for me to delete all related thumbs. when I delete a photo,
    script grabs the photo name, it would be:
    108_de4a780fe42066e308fd890dcfc8b035.jpg
    and then script would search thumb dir for: 108_de4a780fe42066e308fd890dcfc8b035.jpg_thumb_* - to delete all thumbnails generated and purge them
  • Rob McCannRob McCann
    Hey :-) It does save it then outputs it. Theres no need to do that check because next time it goes straight to the file and doesnt touch fuel :-) Rob
  • dudeamidudeami
    An example I would use is something like this (http://scrp.at/aen). This will make sure all of the files are within the 'files' directory, and the image will be a valid width. Edit: I see your point on fuelphp automatically reading the file via htaccess, so rewrote a version without that (http://scrp.at/aeo).
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion