[eluser]HdotNET[/eluser]
that's easily got around with a disclaimer.
TBH, I don't know, haven't tried this, but off the top of my head...
- Strip out any dodgy strings like '../' from the url, use xss function and your own
- Ensure that you are dealing with the right file format (.jpg or whatever, duh)
- Do a test via the GD image library or Imagemagick to test for an actual image, both of which would throw an error on attempting to process anything that wasn't an image.
- Retrieve the image into some directory that is not web-accessible for the processing above.
- Once all tests are satisfied use the CI ftp class to move the file into your web accessible image serving directory, with correct, secure permissions.
Never ever ever have a world writable web acessible directory.