Most people talk about downloading an image from a website to there computer but there are times when we need to download an image from a website to our website (Via a Link).
Which following on from Download images to website I have combined this with an upload script, image proxy script and optional image rename (Append) and offer it here in the hope it might help someone out.
I have heavily commented the script and it needs no configuring but there are 3 variables that can be changed in the config.php file. (image folder name, append timestamp to filename and image proxy on or off). By default the timestamp and image proxy are on as it’s more secure. When the image proxy is on a .htaccess file forbids direct access to the image folder and images are parsed via PHP. (<img src=”mypic.jpg”> becomes <img src=”fetch.php?image=mypic.jpg”>)
Downloading images to your site from another means you don’t have to worry if the other site goes down, closes or alters the image plus you should have 100% say in what goes on your site.
But why all this?
The Image proxy fetches the image from the true location and serves it from another which in this script is fetch.php.
Renaming images prevents people putting illegal/dangerous characters in the name and makes it harder for people to find other files in the folder. (Not incremental names or php.ini)
Just in case anyone gets the actual image folder (Which most people recommended storing outside of your document root) when the proxy is on we deny all access to the image folder.
But does it work?
I did an experiment today after reading PHP file uploads which covers some very good points and using one of there demo files crocus.php which is actually an image stored in a PHP file with php code stored in the comment section of the image (<?php phpinfo(); ?>).
I renamed crocus.php crocus.php.gif and with the image proxy turned off uploaded it and the hidden php code inside the comment section of the image
executes! (Fixed in update see changelog).
This shows why we need to use the proxy and pass the file to PHP and let PHP read it not execute it then all we see with crocus.php is an image!
The file passes getimagesize() as it has size as it’s an image, Passes the extension and mime type checks and even if we checked for magic numbers it would still pass.
Anyway hope this helps and anyone like to add anything please do as were all here to learn after all.
8th March 2012 – Modified config.php and inserted .htaccess.bak into the image folder to prevent script execution in the image folder when image proxy is off. (This fixes the crocus.php.gif so now does not execute).