Dealing with odd filenames passed via $_GET

Byoung

My problem in short : To pass a properly escaped filename to another file via $_GET which unescapes it properly, and is capable of using the passed filename regardless of special characters (#"&'%), usable with file_exists(), include(), and imagecreatefromjpeg().

In detail :
I am using a php script that will look for an image, if not found, generate that image via gd. The path to this image is sent via thumbnail.php?image=blah_453.jpg . Only the filename is passed, the image directories are functioning properly.

If the photo does not exists, it displays imagena.jpg.
If the thumbnail exists, it includes the thumbnail.
If the thumbnail does not exist, it creates it, then includes it.

This script works great.. that is until I start passing image names with odd characters in them. My current problem appears to just be quotes and the # sign. I have tried a variety of different things from urlencode, htmlspecialchars,htmlentities, etc, and if it get one thing working, it breaks normal images and etc. My limitation is that simply renaming images, or naming them correctly to begin with is not an option. The server is an IIS server, if that makes a difference in regards to how file paths are handled.

With the following code, I have these results :
1. Spaces (and %20) work fine.
2. & works.
3. single ' quote yeilds big photo not found.

causes the file to be found, but thumbnail script wont include it properly

The following is the function that is passed on individual pages, i.e.
print thumbnail($imagefilenamefromdb,$captionfromdb);

<?php
function thumbnail ($image,$caption='') {

 $caption = htmlspecialchars($caption); // Escape Caption Text

 if ( file_exists('../images/photos/' .$image) ) { // Make sure photo exists
	if ( file_exists('../images/tn/' .$image) ) { // Check for thumbnail, if exists, print it.
	  print '<img src="/images/tn/' .$image. '" alt="' .$caption. '" style="border:1px solid black;" width="115" />';
	} else {  // Check for thumbnail, if it doesnt exist, create a thumbnail
	  print '<img src="/images/tn/thumbnail_image.php?image=' .urlencode($image). '" alt="' .$caption. '" style="border:1px solid black;" width="115" />';
 	}  
} else { // If photo wasn't uploaded
       print '<img src="/images/imagena.jpg" alt="image is unavailable currently">';
    }
}
?>

Below is the actual .php file that generals said thumbnails. : (thumbnail_image.php)

<?php
header("Content-type: image/jpeg");
ini_set('memory_limit', '20M');


$_GET['image'] = urldecode($_GET['image']);
$theimage = stripslashes($_GET['image']);
if ( file_exists($theimage) === FALSE ) {

$src_img = imagecreatefromjpeg("../photos/$theimage");
if ($src_img != '') { 
$origw=imagesx($src_img); 
$origh=imagesy($src_img); 
$new_w = "115"; 

$diff=$origw/$new_w; 
$new_h=$origh / $diff; 
$dst_img = imagecreatetruecolor($new_w,$new_h); 

imagecopyresized($dst_img,$src_img,0,0,0,0,$new_w,$new_h,imagesx($src_img),imagesy($src_img)); 

imagejpeg($dst_img, $_GET[image]);
imagedestroy($dst_img); 
}
include $theimage;
} else {
  include $theimage;
}
?>

Thanks for reading this, these forums have been a great help in the past, and any help is appreciated. Thanks 🙂

sneakyimp

your code correctly uses urlencode() in the first script which is passing the filename to the second script. In the second script, you don't need urldecode - that is done automatically to all GET params.

Also, you should only stripslashes if slashes are getting added. that may currently the case on your server but you should probably check to see if it's on or not in case you have to move your code to another machine later:

// your second file
$theimage = $_GET['image'];
if (get_magic_quotes_gpc() == 1){
  $theimage = stripslashes($theimage);
}

Byoung

Thanks for the suggestions, I went ahead and implemented them. Unfortunatly however, they don't fix the issue of images not being found. The good news though, is I found that # will not work regardless, I beleive it is an issue of file permissions and that # is considered a special character to the server, and not to be used for normal files. So all my issues debugging that weren't an issue with the script.

I have managed to narrow the problem down to just quotes now and it seems to be imagecreatefromjpg() that is where the script dies out with "file could not be found".