Code: Select all
[img]http://domain.com/image.php?id=1234[/img]
Code: Select all
[img]http://domain.com/image.php?id=1234[/img]
mrdicb wrote: when you say it is a xss security issue, do you mean to MY system or another site's system?
Code: Select all
<img src=vette_img.php?http://domain.com/image.php?id=1234>
Code: Select all
<?php
function randomize( $array )
{
$array_num = count( $array ) - 1;
$rand_num = rand( 0, $array_num );
return $array[$rand_num];
}
$image= randomize( array(
"images/cat.jpg",
"images/dog.jpg",
"images/superman.jpg",
"images/coolio.jpg"
) );
header( "Location: http://domain.com/$image" );
?>
espicom wrote: This subject comes up from time to time, so we see a lot of "what if we ..." type solutions floated. And I've even had people approach me via PM on how to write an appropriate regular expression to allow CERTAIN SERVERS to provide dynamic images, while not allowing "every" server to do so. To the point that I don't even read PMs from some people anymore... I don't have THAT MUCH free time!
One possibility exists for "vetting" images, but it will increase your bandwidth usage. A script could be written to open a remote URL and load its response, check that it is a real image, then send that to the browser. It would basically convert any IMG bbcode tags into calls to this special script, so the result would look kind of like:
vette_img.php would connect to the URL, determine the image type (PNG, GIF, JPG), use the PHP GD functions to load the image, optionally resize it to match your specifications, then spit the result out to the browser.Code: Select all
<img src=vette_img.php?http://domain.com/image.php?id=1234>
This is the 10-pound sledgehammer approach. 8)