Someone here who might be able to tell me why this does not work. index.php PHP: <?php echo "<hr>\n"; echo "<img src=\"images.php?fl=1.jpg\" />\n"; echo "<hr>\n"; echo "<img src=\"images.php?fl=2.gif\" />\n"; echo "<hr>\n"; echo "<img src=\"images.php?fl=3.gif\" />\n"; echo "<hr>\n"; echo "<img src=\"images.php?fl=4.jpg\" />\n"; ?> images.php PHP: <?php $filename = $_REQUEST["fl"]; include $filename; ?> The strange thing is that image 1.jpg, 2.gif and 3.gif showup okay, but 4.jpg does not. Image 1 = 28 KB Image 2 = 128 KB Image 3 = 23 KB Image 4 = 725 KB When I try to load image 4 this way: http://domain.tld/images.php?fl=4.jpg I get an error: Parse error: syntax error, unexpected '%' in /var/www/web6/web/4.jpg on line 205 Hmm line 205?? The script does not have than many lines! (http://domain.tld/4.jpg is working fine) When I call all the other (smaller) images with http://domain.tld/images.php?fl=... all is working fine! Anyone here who can enlighten me on this "error"?
I think PHP tries to interprete 4.jpg as a script. You could try to use file_get_contents() to read the file and then pass it to the browser instead of using include(). Maybe you also need to set headers so that it's clear for the browser that it's an image.
You have to add a content header according to the image file in the image.php: e.g. Code: header ("Content-type: image/png");
Yes I found this info some days ago, but why does it work (without the "Content-type") for some images, and does it not work for others?
Very bad code! Pls check where $_REQUEST["fl"] points to and restrict it to onyl one directory or the ones you need.... e.g. with the forgotten header you could easily export /etc/passwd or anything. Maybe safe-mode / open_basedir might help, but that's not reason for implementing such this way Regarding the last question, maybe the browser interprets the files without header per default to any other imagetype or is able to recognize the appropriate mime-type in some cases. As falko mentioned I also would make use of file_get_contents e.g. instead of include.
Hi Ben, The code shown, was only as demo. For simplicity I removed all the extra stuff. I did solve the problem with "Content-type", but I'll have a look at the "file_get_contents" too. Thank you for your reply.
