PDA

Click to See Complete Forum and Search --> : Secret Location For Pictures?

Visual Basic.Net
Nov 21st, 2008, 02:51 AM
I want to display pictures from some folder without allowing the user to see the their folder name when he click (rightclick on the photo=>properties).
So I make a seperate file called printit, it contains:
<?php
echo "<img src="IMGFOL/".$_GET['imgname'].">";
?>

and then when I want to display a picture for the user I write:
echo "<img src='printit.php?imgname=12'>";

but the picture wasn't displayed! while the generated url is correct, when I copy it and put in address bar, the picture is displayed.
what is the problem?

thank's in advance
Visual Basic.Net
Nov 21st, 2008, 02:52 AM
it give me "X" instead of the picture, while the picture is exist!
kfcSmitty
Nov 21st, 2008, 11:41 AM
Your quotes are the issue.


<?php
echo "<img src="IMGFOL/".$_GET['imgname'].">";
?>
//should be
<?php
echo "<img src='IMGFOL/".$_GET['imgname']."'/>";
?>
Visual Basic.Net
Nov 21st, 2008, 04:29 PM
also didn't work!
any other solution?
thank's
dclamp
Nov 21st, 2008, 07:41 PM
You have an img tag inside of an img tag, thats why.


<img src='printit.php?photo=dclamp.jpg>


Printit.php:


<?php
$imgname = $_GET['photo'];
$folderlocation = "images/";

echo $folderlocation . $imgname;
?>


--------------------------------------

Here was your code:


<?php
echo "<img src="IMGFOL/".$_GET['imgname'].">";
?>


<img src='printit.php?imgname=12'>


Would Output:


<img src='<img src='IMGFOL/12'>'>
kfcSmitty
Nov 21st, 2008, 07:51 PM
Nice catch dclamp. I didn't even notice the URL was in an img tag, I had assumed it was in a hyperlink anchor.

If dclamp's solution doesn't work for you, give us the HTML code your incorrect page displays.
penagate
Nov 22nd, 2008, 08:03 PM
Two points, one trivial, one not so trivial:

(1) Don't use echo to write HTML. PHP is designed to be embedded within HTML not vice versa.

(2) Never echo back input that comes from the client. This is called a cross-site scripting (XSS) vulnerability (http://en.wikipedia.org/wiki/Cross-site_scripting). Why?— because you are outputting user input without validating it, anyone can manipulate the query string component of the URL to inject malicious JavaScript into the page and potentially gain unauthorised access to data, such as through reading other users' cookies.
Visual Basic.Net
Dec 3rd, 2008, 02:43 PM
I tested all possible codes, but none of them worked!!!
Isn't there a secure way to do that, not necessarly by the same idea. I just want to unable the user to see the real location of the image
thank's