Readfile() alternative

Squiggles

Hi Guys,

I've been using this piece of code for years now, whenever I use rotating images within my websites. Recently, I received word that readfile() was disabled on the server I was working with for security reasons.

Here's the snippet I use:

* BEGIN CODE *

$fileList = array();
$folder = ".";
$handle = opendir($folder); 
while (false !== ($file = readdir($handle) ) ) 
	{
	if ( substr($file, -4) == ".gif" || substr($file, -4) == ".jpg" ) 
		{
		$fileList[count($fileList)] = $file;
		}
	}
closedir($handle);
$randNum = rand( 0, (sizeOf($fileList) -1) );
if ( substr($fileList[$randNum], -4) == ".gif" ) 
	{
	header ("Content-type: image/gif");
	} 
elseif ( substr($fileList[$randNum], -4) == ".jpg" ) 
	{
	header ("Content-type: image/jpeg");
	}
readfile($fileList[$randNum]);

* END OF CODE *

any suggestions or possible alternatives to use instead of readfile()?

many thanks in advance.

Installer

The manual suggests:

See also fpassthru(), file(), fopen(), include(), require(), virtual(), file_get_contents()...

halojoy

hi
I cant see any readfile() in your code
so,
I will assume your mean readdir()

The alternative, which is much more simple to use is:
http://php.net/scandir

Here is a nice little example, I have written, Directory Viewer

<?php

// directory view
$files = scandir( '.' );
//$fcount = count( $files );

echo '<body bgcolor="#DDDDDD">';
echo "<b><i>DIRVIEW FILE INDEX</i></b>";
echo "<hr>";
foreach ( $files AS $name ){
    if(substr($name,0,1)!=".")
        echo '<a href="'.$name.'" target="blank">'.$name.'</a><br>';
}
echo '</body>';
exit;

to test extensions:

<?php

// takes the last 4 chars, for example '.txt'
if ( substr( $name, -4 ) == ".txt" )
    echo 'textfile';

Squiggles

nope. it's readfile(). it's located on the last line.

halojoy

okay
then this post
by Installer is better:

See also fpassthru(), file(), fopen(), include(), require(), virtual(), file_get_contents()...

from the readfile manual
http://php.net/readfile

🙂

MarkR

Squiggles wrote:
Hi Guys,

I've been using this piece of code for years now, whenever I use rotating images within my websites. Recently, I received word that readfile() was disabled on the server I was working with for security reasons.

I don't understand why that would be? Surely your production server support people are there to support you not to piss you off?

Can you not argue with them like:

You can't disable readfile() because my application requires it for proper operation...

They can't reasonably take unilateral decisions like that, particularly not after deployment.

Mark

bradgrafelman

I'm a bit puzzled as to how readfile() is a security hazard? It is absolutely no different that combining [man]file_get_contents/man and [man]echo[/man]!

Weedpacket

Maybe file_get_contents() is disabled as well .... but then I'd expect all the file-access functions to be locked out. ini_get('disable_functions') or phpinfo() may give a list.

Those nasty web developers. Always wanting to read files... :mad:

But yeah, try taking it up with someone who can do something about it first before getting into knots yourself trying to work around it. That Way Lies Madness.

Kudose

I believe that if the people that maintain your server use the safe mode open_basedir properly, there should be no security risks (to other users) to warrant disabling those file functions.