0

i am trying to display an image in HTML using:

<img src="/logo.php?seq=5" />

then logo.php looks like:

<?php
$sql="SELECT * from reseller where sequence = '".$_GET["seq"]."' ";
$rs=mysql_query($sql,$conn);
$result=mysql_fetch_array($rs);

echo '<img src="http://www.integradigital.co.uk/customer/'.$result["logo"].'" />';
?>

but its not working - whats the best way to do this so the user seeing the image cannot look at the URL of the image. if they open the image in its own window i want them to see something like http://www.domain.com/logo.php?seq=5 ???

charlie
  • 1,356
  • 7
  • 38
  • 76
  • Why don't you place a div instead and set logo as background image so that it will not be straight forward URL to show. – Ganesh Pandhere Sep 18 '13 at 10:39
  • i thought about that but if the user looks in the CSS it will show the url – charlie Sep 18 '13 at 10:40
  • 1
    Define "cannot look at the URL." Even if it's referenced in CSS, the user can still look at it if they want to. – David Sep 18 '13 at 10:40
  • 3
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Sep 18 '13 at 10:41
  • its easy, just base64 encode your urls ;) – Kyslik Sep 18 '13 at 10:41

1 Answers1

2

Use readfile() to read the image in the image.php:

// Read URL from database
$sql    = "SELECT * from reseller where sequence = '" . $_GET["seq"] . "'";
$rs     = mysql_query($sql,$conn);
$result = mysql_fetch_array($rs);

// Generate path
$path = '/customer/' . $result["logo"];

// Set proper headers
$headers = get_headers( $path );

foreach( $headers as $h )
    if( strpos( $h, 'Content-Type:' ) !== false )
        header( $h );

// Send file to user
readfile( $path );

Then PHP reads the right logo and outputs it, the user won't be able to see the real path. You can link the logo like you proposed:

<img src="/logo.php?seq=5" alt="Logo">
Rudolf
  • 1,856
  • 2
  • 19
  • 32
  • 1
    You should also send a proper image header. – John V. Sep 18 '13 at 10:44
  • so if i use this in image.php or logo.php what do i use in the menu.php file? – charlie Sep 18 '13 at 10:45
  • 1
    You can just link it like you proposed: `` – Rudolf Sep 18 '13 at 10:46
  • im getting text like: ‰PNG IHDRè½6‘tEXtSoftwareAdobe ImageReadyqÉe<�yQIDATxÚì]`]eÙ~μ;7{5iÒ=è¢tRö,”)K@AD6((ü ‚,EA™Ê] Œ²)JÝ{7ÍNî<ëßïÜ$7¹7隧¹óÜs¾ó=ïû¼ó“ÇAïÖ»õnßÎMå$Iê‰Þí»ºõ4yÿ €ön½Û·dÛz]êæsN–½ ½[/о IÛ¡”e—ÓÞg0 ...and much more... when i echo $path its the right URL though – charlie Sep 18 '13 at 10:51
  • 1
    Try it again with the proper headers I added, that should solve it. – Rudolf Sep 18 '13 at 10:52
  • Warning: finfo_file() [function.finfo-file]: Failed identify data 0:(null) in /home/reseller/public_html/logo.php on line 13 – charlie Sep 18 '13 at 10:52
  • im getting these errors when i go to logo.php?seq=5 but on the menu.php page where i have its just showing a blank square - no imagae – charlie Sep 18 '13 at 10:53
  • Are you sure this is the right absolute path to the file? It might be something like `$_SERVER['DOCUMENT_ROOT'] . '/customers/'` instead. – Rudolf Sep 18 '13 at 10:55
  • 1
    I get the feeling they are actually separate sites, and the one that contains the actual images is separate hosting, he might need the full url (which I think `readfile` still supports). – John V. Sep 18 '13 at 10:57
  • That would indeed be very bad. Are the logos on the same server as your script @charlie? – Rudolf Sep 18 '13 at 10:59
  • yes they are 2 seperate sites - i have put the $path with the domain at the start – charlie Sep 18 '13 at 11:00
  • same server - 2 sites – charlie Sep 18 '13 at 11:01
  • @charlie Then in logo.php you need to use the path to the site that the images are stored on, preferable the full local path. (/home/reseller/public_html/ ?) – John V. Sep 18 '13 at 11:02
  • 1
    If they are on the same server, does one site have access to the files of the other? Is open_basedir activated? – Rudolf Sep 18 '13 at 11:03
  • im not sure - its not my server its with a hosting company – charlie Sep 18 '13 at 11:03
  • and no the sites dont have access to each other – charlie Sep 18 '13 at 11:07
  • Look at it now, it fetches the headers from the remote site. – Rudolf Sep 18 '13 at 11:07