Joshua Posted February 20, 2010 Posted February 20, 2010 Ok, so I've got a few ways that "works" to stop the viewuser/preferance hack. I had a thought on "another" way to do this and I am garbage with preg So any help would be beneficial to anyone :P Ok, so instead of using getimagesize on the displaypicture bit, which occasionally bugs certain images. What if in the following link, you do something like... if ($r['display_pic'] preg match .php/.exe etc) { echo fail } else yadda yadda. Would that be do-able? If so...how? :P if($r['display_pic']) { $pic = ""; } else { $pic = "This user has no display pic!"; } Quote
Djkanna Posted February 20, 2010 Posted February 20, 2010 You could try if(!preg_match("/^.*\.(jpg|jpeg|png|gif)$/i", $r['display_pic'])) { echo "Error in displaying Display Picture."; } [Regex Source] Quote
Joshua Posted February 20, 2010 Author Posted February 20, 2010 I dno how preg match works yet so :P Would that ignore the http://www.site.com/picture bit and just check the .png/.jpg/.gif etc? Quote
Dave Posted February 20, 2010 Posted February 20, 2010 That method can so easily be abused... I'd reccomend using if(preg_match("/^.*\.(jpg|jpeg|png|gif)$/i", $r['display_pic'])) { if(@getimagesize($r['display_pic'])) { echo 'Valid image';} } Because with just the preg_match you could do something like... http://game.com/logout.php?null=image.png :) Quote
Joshua Posted February 20, 2010 Author Posted February 20, 2010 yea we've just discussed that in chat, meh. i was already using getimagesize >,< So I beleive this should do it, thanks if(preg_match("/^.*\.(jpg|jpeg|png|gif)$/i", $r['display_pic'])) { if(@getimagesize($r['display_pic'])) { $pic = "[img={$r[]"; } } else { $pic = "This user has no display pic!"; } Quote
Djkanna Posted February 20, 2010 Posted February 20, 2010 Yup that was an interesting chat even though I missed it (too busy chatting elsewhere xD ) but yeah allowing them to upload was a suggestion also you may wan't to think about that one *Directed at all* Quote
Dave Posted February 20, 2010 Posted February 20, 2010 Yup that was an interesting chat even though I missed it (too busy chatting elsewhere xD ) but yeah allowing them to upload was a suggestion also you may wan't to think about that one *Directed at all* Well.. My site dosen't "upload" the image but instead captures the image into various sizes onto my webserver to make pulling the image up quicker and then also extra security. Considering im using the GD library to create the image.. You pass some PHP through that and call it an image it will just give you a black display pic. Quote
Joshua Posted February 20, 2010 Author Posted February 20, 2010 After trying several differant approaches this is the one that has succeeded over all if(!@getimagesize($ir['display_pic'])) { $pic ="images/default.png' width='43' height='43' border='0'"; } elseif(@getimagesize($ir['display_pic'])) { $pic = $ir['display_pic']; } Quote
Zero-Affect Posted February 20, 2010 Posted February 20, 2010 Dave didn't i error your display image? if(preg_match("/^.*\.(jpg|jpeg|png|gif)$/i", $r['display_pic'])) { if ( is_array(@getimagesize($r['display_pic'])) ) { $pic = "[img={$r[]"; } } else { $pic = "This user has no display pic!"; } If you had listened to mdshare when he mentioned getimagesize first time round you may have easily avoided this entire thread. Quote
Joshua Posted February 20, 2010 Author Posted February 20, 2010 Yer possibly. But when he originally posted that I didnt understand it, do it myself a bit and I learn it and understand it, so eh..learning process. Quote
Magictallguy Posted February 20, 2010 Posted February 20, 2010 Remove the print from that code. It'll error if you don't Quote
Dave Posted February 21, 2010 Posted February 21, 2010 Dave didn't i error your display image? if(preg_match("/^.*\.(jpg|jpeg|png|gif)$/i", $r['display_pic'])) { if ( is_array(@getimagesize($r['display_pic'])) ) { $pic = ""; } } else { $pic = "This user has no display pic!"; } If you had listened to mdshare when he mentioned getimagesize first time round you may have easily avoided this entire thread. You did :) and that's how I fixed it :L If that didn't work I was going to start checking the mime type haha :L Quote
Zero-Affect Posted February 21, 2010 Posted February 21, 2010 eight'150' alt-'User Dis notice the error? Dave look at Demo's account and tell me it still ain't erroring. Quote
bluegman991 Posted February 22, 2010 Posted February 22, 2010 get image size would be the better way cuz u could easily name a file "blah.png.php" then use htaccess to alow the .php part to not be needed then go to ur site and put in http://www.site.com/blah.png and there u have a fake png file Quote
Zero-Affect Posted February 22, 2010 Posted February 22, 2010 actually it would be http://www.website.com/image.png change png to php via htaccess... but using getimagesize on view user fixes that basically Quote
Diesl Posted June 5, 2010 Posted June 5, 2010 Just a quick note to help anyone who had the same problem as me. If you used the @getimagesize() function and you sure you were correct with the coding, but any picture you uploaded (or are uploading if used in preferences.php) never returned properly, you may have to enable allow_url_fopen in your php.ini. No matter what,any picture I was uploading, it always evaluated to false which would show an error to the user. Changing the allow_url_fopen to "on" made it work. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.