get image size help

[bluegman991]

im trying to make a bbcode image tag that will check to see if an image is actually an image before it displays it

heres the function

function secimg( $input )
{
$image=@getimagesize($input);
if(!$image)
 {
	$input="notanimage.png";
 }
else
 {
$input=$input;
 }
 return $input;
}

 

heres the preg replace

 

function imgtag( $input )
{
$bb = "/\[img\](.+?)\[\/img\]/";

$html  =  "[img=.secimg('//1').]";

return preg_replace($bb, $html, $input);
}

 

whats happening is when i use the code it says everything is not an image

but when i use i put the code directly into a page like this

$text="http://www.url.com/image.png"

echo secimg($text);

it will define everything correctly

can someone show me what im doing wrong and if its not possible help me with only allowing images inside image tags

[Floydian]

Hello bluegman991,

The problem you have there is that you are calling secimg() before preg_replace can substitute a value for '//1'. Your idea of using preg_replace's ability to take a substring and place it into a placeholder is sweet, but you need to be able to execute that secimg() function in the context of the regex, which I don't know if you can do. You may need to break this down into more discreet steps.

Hope that helps.

[CrazyT]

You have the right, idea but you didn't do it right. Here try this it works fine.

function imageCheck($img)
{
return @getimagesize($img) ? $img : 'images/invalid.png';
}
if (isset($_GET['tb']))
{
 echo '[img='. imageCheck(preg_replace(]';
}

 

You might have to edit it to fit your needs.

Can be seen here below.

http://crazyt.co.uk/test.php

As for the invalid image, i don't have one so it will just display no image, but if your view source you can see "images/invalid.png" in the image tag.

:)

[bluegman991]

thx lazy t but that way i wouldnt need to put in the tags for it to check and then it will display all the information inside of the variable as invalid.png where i only want it to replace the with that are in the variable

i think floydian is right tho it may not be possible to put a function inside preg_replace

so how would i secure my img tags?

or how does everyone else?

[Floydian]

I have a slightly different use case since my image function starts with html, and not bbcode, but you can apply the bbcode to html conversion and then apply a function like the one I use. A call to getimagesize() would make this code more secure.

This function does a number of things:

1. It makes sure the image src ends with one of the $valid_imgs file extensions (this makes it difficult to load php pages from your own site like logout.php or itemsell.php?ID=23423)

2. It makes sure none of the strings in $invalid_imgs is contained in the string (and this makes it impossible to load php pages from your own site)

One call to this function will clean all instances of images in one string. So you can clean out 100 images at once. It is possible to put in a string that ends with .jpg that links to a file that is actually a php page. But my code assumes that my own site does not have malicious php files masquerading as jpg files.

It would be better to have getimagesize though in order to know 100% for sure the image is an image. It can easily be added in.

 

function clean_images($string) {
$count = 0;
$img_start = 0;
$valid_imgs = array('.png', '.jpg', 'jpeg', '.gif', '.PNG', '.JPG', 'JPEG', '.GIF');
$invalid_imgs = array('.html', '.js', '.css', '.php', '.htm');
do {
	$count++;
	$img_start = stripos($string, '<img', $img_start);
	if ($img_start !== false) {
		$img_end = stripos($string, '>', $img_start);
		$image = substr($string, $img_start, $img_end - $img_start +1);
		$string_beginning = substr($string, 0, $img_start);
		$string_ending = substr($string, $img_end+1);

		$check_count = 0;
		foreach ($valid_imgs as $value) {
			if(strpos($image, $value) === false) {
				$check_count++;
			}
		}
		if ($check_count >= $valid_imgs) {
			$image = '';
		} else {
			foreach ($invalid_imgs as $value) {
				if(strpos($image, $value) !== false) {
					$image = '';
					break;
				}
			}
		}

		$string = $string_beginning . $image . $string_ending;
		$img_start++;
	}
	if ($img_start > strlen($string)) {
		$img_start = false;
	}
} while ($img_start !== false);
return $string;

} // End clean_images() function.