Download and Upload Images to your website

Posted By: Ian on Apr 05, 2012 in PHP, Snippets
Last modified on December 9th, 2012 at 9:45 pm,

Most people talk about downloading an image from a website to there computer but there are times when we need to download an image from a website to our website (Via a Link).
Which following on from Download images to website I have combined this with an upload script, image proxy script and optional image rename (Append) and offer it here in the hope it might help someone out.

I have heavily commented the script and it needs no configuring but there are 3 variables that can be changed in the config.php file. (image folder name, append timestamp to filename and image proxy on or off). By default the timestamp and image proxy are on as it’s more secure. When the image proxy is on a .htaccess file forbids direct access to the image folder and images are parsed via PHP. (<img src=”mypic.jpg”> becomes <img src=”fetch.php?image=mypic.jpg”>)

Download Script

 

Downloading images to your site from another means you don’t have to worry if the other site goes down, closes or alters the image plus you should have 100% say in what goes on your site.

But why all this?

The Image proxy fetches the image from the true location and serves it from another which in this script is fetch.php.
Renaming images prevents people putting illegal/dangerous characters in the name and makes it harder for people to find other files in the folder. (Not incremental names or php.ini)
Just in case anyone gets the actual image folder (Which most people recommended storing outside of your document root) when the proxy is on we deny all access to the image folder.

But does it work?

I did an experiment today after reading PHP file uploads which covers some very good points and using one of there demo files crocus.php which is actually an image stored in a PHP file with php code stored in the comment section of the image (<?php phpinfo(); ?>).

I renamed crocus.php crocus.php.gif and with the image proxy turned off uploaded it and the hidden php code inside the comment section of the image executes! (Fixed in update see changelog).
This shows why we need to use the proxy and pass the file to PHP and let PHP read it not execute it then all we see with crocus.php is an image!

The file passes getimagesize() as it has size as it’s an image, Passes the extension and mime type checks and even if we checked for magic numbers it would still pass.

Anyway hope this helps and anyone like to add anything please do as were all here to learn after all.

Download Script

Changelog :-
8th March 2012 – Modified config.php and inserted .htaccess.bak into the image folder to prevent script execution in the image folder when image proxy is off. (This fixes the crocus.php.gif so now does not execute).

AnonymousIan.J.Gough

Did this help you? Please Let me know by commenting below even if it’s just to say “Thanks”

leave a comment

About This Site

Dreams are built from lines of code well it's true!
If you can dream it you can usually code it.

I have learned so much from other people on the Internet and this site is for me to give back some of what i have learned and hope people can now learn from me.
Have fun and surf safely,
Ian.J.Gough

protected by copyscape duplicate content check

Categories


Powered by Banner Bar 125