• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Uploading images from url rather than local hard drive

#1
[eluser]obobo[/eluser]
Apologies if this has been covered before ... but i couldn't find anything in the forums ...

I'm currently using the upload class to post photos to my site.
I'd also like to have the option of simply entering an url of an image on another website
and having it copied to my server.

Is there any way this could be done while still using the CI upload validation
rather than having to rewrite it to handle images from urls?

#2
[eluser]wiredesignz[/eluser]
Not with CI Validation as it stands.

You would need to use file_get_contents() or something similar.

However, It would be very dangerous to allow random file types to be grabbed from another site.

#3
[eluser]Jamie Rumbelow[/eluser]
It shoulden't be too hard to write an extension function into the upload library - I'l do it later if you haven't figured it out by then.

#4
[eluser]HdotNET[/eluser]
be very careful though. that's asking for a hacker to upload anything he/she/it wants. many shared hosts will have functions like disabled to prevent the above:

allow_url_fopen = off

in php.ini...

errors like these indicate this:

PHP Warning: fopen(http://www.example.com): failed to open stream: HTTP request failed!
fsockopen(): unable to connect to …
file_get_contents(): failed to open stream: HTTP request failed!
PHP Warning: main(): Failed opening ‘http://www.example.com/index.html’ for inclusion …
PHP Warning: include(/usr/local/index.php): failed to open stream: No such file or directory in …


in addition, you may find that other webservers may block requests from the user_agent 'PHP', so if you still want to go ahead with this scary bit of coding, you may want to spoof the user_agent to something more acceptable.

#5
[eluser]obobo[/eluser]
thanks for the responses everyone and for the offer jemgames.

I had no idea of the security implications. :gulp:

How do sites like blogger safely allow users to grab photos from other websites?

Is it always dangerous to allow photos to be grabbed from an url
or is it just a serious under taking to make it safe and not for the inexperienced?

#6
[eluser]xwero[/eluser]
I think grabbing it's safer if you only allow image storage sites. They did the security check for you.

Not only you have to be aware of the security risks but also about the legal issues. If your users grab images from others and add their own name or if the images may not be reproduced without the owners consent you could be held responsible allowing this behavior.

#7
[eluser]HdotNET[/eluser]
that's easily got around with a disclaimer.

TBH, I don't know, haven't tried this, but off the top of my head...

- Strip out any dodgy strings like '../' from the url, use xss function and your own

- Ensure that you are dealing with the right file format (.jpg or whatever, duh)

- Do a test via the GD image library or Imagemagick to test for an actual image, both of which would throw an error on attempting to process anything that wasn't an image.

- Retrieve the image into some directory that is not web-accessible for the processing above.

- Once all tests are satisfied use the CI ftp class to move the file into your web accessible image serving directory, with correct, secure permissions.

Never ever ever have a world writable web acessible directory.

#8
[eluser]Jamie Rumbelow[/eluser]
A few simple saftey checks are sufficent - as long as you restrict the filetype and make sure that no code from the remote file is excecuted, then you shoulden't worry.

#9
[eluser]HdotNET[/eluser]
doh...

getimagesize();

Quote:Errors/Exceptions

If accessing the filename image is impossible, or if it isn't a valid picture, getimagesize() will generate an error of level E_WARNING. On read error, getimagesize() will generate an error of level E_NOTICE.

was getting ahead of myself with imagemagick/gd

I should have RTFM ;-)


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.