Is it safe to display a image using $_GET for path?

Question

Is it safe to display a image using $_GET for path? For example using this format: image.php?path=/images/example.jpg

Answer 1

Yes you can, just make sure you use isset so that it doesn't throw undefined index if someone fiddles with your URL, also you need to check whether the path is valid else show some other image, like image not found by writing text in alt attribute

if(isset($_GET['index'])) {
   echo '';  
}

Points to be looked for:-

• Anybody can tinker URL
• You'll have to sanitize the value
• Often path's will be changed so be sure you use alt text if image is not found
• If you don't sanitize, will lead to easy intrusion for hackers

Inshort I suggest you NOT TO DO SO

Answer 2

Its perfectly safe if you check the path exists after using basename($_GET['path']) on the file name, also define your path to the images folder.

Then check that it is an image with getimagesize($path). If any fail, change the filename to a not found image or such.

<?php 
$path_to_images = '/images/';
$not_found_img  = './path/to/not_found_image.jpg';

// check path is set and not empty
if(empty($_GET['path'])){
    $path = $not_found_img;
}else{
    $path = $path_to_images.basename($_GET['path']);

    // check that image exists
    if(!file_exists($path)){
        $path = $not_found_img;
    }else{
        //Check if image
        if($img_size = getimagesize($path)) {
            //alls good $path validated
        }else{
            $path = $not_found_img;
        }
    }
}

// do somthing with your $path
?>

Answer 3

Completely yes. There are no problems, hackers can't give there bad code, what can hack your page or work with your database. But take care on some other elements.