2

I am creating image using php i almost code it but i stucked at a very important point I want the Font family of my choice in that image but only when i select the font family otherwise the default font runs. This logic is not running properly. When i didn't choose any font family the default font runs and shows me the input but when i choose any font then it also runs and existing image overwrite but it is not showing me the input on screen.

Please tell me what is the issue. Here is my code of php file:

<?php
include_once('includes/includes.inc.php');
if(isset($_GET['txt'])){
$txt = $_GET['txt'];
$_SESSION['txt'] = $txt;
}

if(!isset($_SESSION['rand'])){
    $rand = mt_rand(100,1000);
    $_SESSION['rand'] = $rand;
}

    $im = @imagecreate(288, 288) or die("Cannot Initialize new GD image stream");
    $background_color = imagecolorallocate($im, 230, 248, 248);
    $text_color = imagecolorallocate($im, 85, 85, 85);



    if(isset($_GET['Smile'])){
        $query = mysql_query("SELECT * FROm tbl_fonts WHERE font_name = '".$_GET['Smile']."'");
        $get = mysql_fetch_array($query);
        $desfon = 'images/fonts/'.$get['font_name'].'.ttf';
        //echo $desfon;
        imagettftext($im, 55, 0, 155, 55, $text_color, $desfon, $_SESSION['txt']);
    }
    else{
        imagestring($im, 55, 155, 55,  $_SESSION['txt'], $text_color);
    }

    header("Content-Type: image/png");
    $filename1 = $_SESSION['txt'].$_SESSION['rand'].'.png';
    imagepng($im,$filename);
    echo '<img src="'.$filename.'" alt="" />';
?>
user2451809
  • 23
  • 5
  • 1
    If only your image is not shown that is because of browser cache. Try to put a time stamp with image source, so it always use latest image something like – Sumit Gupta Jun 05 '13 at 10:37
  • First you have to call session_start() before using $_SESSION – Kees Sonnema Jun 05 '13 at 10:38
  • This will allow an attacker to write files anywhere where the current user has access. You probably want to clean up the contents of $_GET['txt'] before using it as a filename. – MatsLindh Jun 05 '13 at 10:40

1 Answers1

0

First of all, you have a few security issues you really should handle before using this code anywhere public. A good way to start would be fixing the SQL injection problems by looking at Why shouldn't I use mysql_* functions in PHP? and How to prevent SQL injection in PHP?

Also writing to a filename you directly get from a GET parameter allows for an attacker to write almost anywhere in your system. Make sure you validate the input. At the very least use something like basename() to atleast keep the file in the same directory.

Then to your actual problem. It could be that you are running a version of the GD library that is mentioned in the imagettftext manual

Depending on which version of the GD library PHP is using, when fontfile does not begin with a leading / then .ttf will be appended to the filename and the library will attempt to search for that filename along a library-defined font path.

So its possible your server is actually looking for images/fonts/fontname.ttf.ttf, try to use it like $desfon = 'images/fonts/'.$get['font_name']; and see if it works.

It might also be a good idea to simply set the GDFONTPATH at the top of your script and simply use $desfon = $get['font_name'];

<?php
// Set the enviroment variable for GD
putenv('GDFONTPATH=' . dirname(__FILE__).'/images/fonts/');
?>

Other ways to debug your application could be to dump the content of the imagettftext call and see what it says. Notice that I will exit the script so it wont create an actual image, but just output the return value.

<?
//your script

var_dump(imagettftext($im, 55, 0, 155, 55, $text_color, $desfon, $_SESSION['txt']));
exit();

//rest of script.
?>
Community
  • 1
  • 1
Hugo Delsing
  • 13,803
  • 5
  • 45
  • 72