Hi Guys,

I've been using this piece of code for years now, whenever I use rotating images within my websites. Recently, I received word that readfile() was disabled on the server I was working with for security reasons.

Here's the snippet I use:

* BEGIN CODE *

$fileList = array();
$folder = ".";
$handle = opendir($folder); 
while (false !== ($file = readdir($handle) ) ) 
	{
	if ( substr($file, -4) == ".gif" || substr($file, -4) == ".jpg" ) 
		{
		$fileList[count($fileList)] = $file;
		}
	}
closedir($handle);
$randNum = rand( 0, (sizeOf($fileList) -1) );
if ( substr($fileList[$randNum], -4) == ".gif" ) 
	{
	header ("Content-type: image/gif");
	} 
elseif ( substr($fileList[$randNum], -4) == ".jpg" ) 
	{
	header ("Content-type: image/jpeg");
	}
readfile($fileList[$randNum]);

* END OF CODE *

any suggestions or possible alternatives to use instead of readfile()?

many thanks in advance.

    The manual suggests:

    See also fpassthru(), file(), fopen(), include(), require(), virtual(), file_get_contents()...

      hi
      I cant see any readfile() in your code
      so,
      I will assume your mean readdir()

      The alternative, which is much more simple to use is:
      http://php.net/scandir

      Here is a nice little example, I have written, Directory Viewer

      <?php

// directory view
$files = scandir( '.' );
//$fcount = count( $files );

echo '<body bgcolor="#DDDDDD">';
echo "<b><i>DIRVIEW FILE INDEX</i></b>";
echo "<hr>";
foreach ( $files AS $name ){
    if(substr($name,0,1)!=".")
        echo '<a href="'.$name.'" target="blank">'.$name.'</a><br>';
}
echo '</body>';
exit;

      to test extensions:

      <?php

// takes the last 4 chars, for example '.txt'
if ( substr( $name, -4 ) == ".txt" )
    echo 'textfile';

        nope. it's readfile(). it's located on the last line.

          okay
          then this post
          by Installer is better:

          See also fpassthru(), file(), fopen(), include(), require(), virtual(), file_get_contents()...

          from the readfile manual
          http://php.net/readfile

          🙂

            Squiggles wrote:

            Hi Guys,

            I've been using this piece of code for years now, whenever I use rotating images within my websites. Recently, I received word that readfile() was disabled on the server I was working with for security reasons.

            I don't understand why that would be? Surely your production server support people are there to support you not to piss you off?

            Can you not argue with them like:

            You can't disable readfile() because my application requires it for proper operation...

            They can't reasonably take unilateral decisions like that, particularly not after deployment.

            Mark

              I'm a bit puzzled as to how readfile() is a security hazard? It is absolutely no different that combining [man]file_get_contents/man and [man]echo[/man]!

                Maybe file_get_contents() is disabled as well .... but then I'd expect all the file-access functions to be locked out. ini_get('disable_functions') or phpinfo() may give a list.

                Those nasty web developers. Always wanting to read files... :mad:

                But yeah, try taking it up with someone who can do something about it first before getting into knots yourself trying to work around it. That Way Lies Madness.

                  I believe that if the people that maintain your server use the safe mode open_basedir properly, there should be no security risks (to other users) to warrant disabling those file functions.

                    Write a Reply...