Paul Novitski wrote:
At 7/26/2007 06:18 AM, elk dolk wrote:
I want to hide the real URL to my images by masking it with PHP
the code looks like this:
$query = "SELECT * FROM table";
$result=mysql_query($query);
while ($row = mysql_fetch_array($result))
{
echo "<img src='http://www.mysite.com/img/{$FileName}'/>";
}
if you look at the source in browser you will see:
<img src='http://www.mysite.com/img/111.jpg' />
how can I show it like this:
<img src='show.php?FileName=111.jpg' />
Your primary script would echo:
while ($row = mysql_fetch_array($result))
{
// get the file name from the data table
$FileName = $row['filename'];
// encode the filename to be legal in an URL
$FileName = urlencode($FileName);
// download to browser
echo <<<_
<img src="show.php?FileName=$FileName" />
_;
a heredoc for a single short line? why? isn't echo '<img
src="show.php?FileName='.$FileName.'" />'; just as easy? Or is it
because you didn't feel like escaping the double quotes and/or
concatenating strings? (yes, I really dislike heredoc, I know)
}
and the secondary script show.php could use logic such as this:
show.php?FileName=\0/etc/passwd
hint: use basename() on it.
// if the querystring contains the expected parameter
if (isset($_GET['Filename']))
{
// get requested filename
$Filename = 'img/' . $_GET['Filename'];
// if that file exists
if (file_exists($Filename))
{
// output to browser, suppressing error
message
why are you suppressing error messages??
@readfile($Filename);
}
}
Notes:
Your sample script included:
echo "<img src='http://www.mysite.com/img/{$FileName}'/>";
Marking up your images as <img ... /> indicates that you want to use
XHTML. XHTML requires that attributes be quoted with double quotes, not
single quotes (apostrophes). Use <http://validator.w3.org/> to validate
your markup.
However, simply reversing the quotes in your statement would result in:
echo '<img src="http://www.mysite.com/img/{$FileName}"/>';
This would not work because PHP would fail to expand the variable name
inside single quotes. Therefore you'd need to escape the inner quotes
like so:
echo "<img src=\"http://www.mysite.com/img/{$FileName}\"/>";
or use heredoc (<<<...) which I prefer to use because it means not
having to escape the quotes. In a case like this it also means not
having to enclose the variable in curly braces:
ok, nevermind, that answered my question :) Still a matter of taste
though, I'd prefer the concatenated version above any heredoc.
echo <<<_
<img src="show.php?FileName=$FileName" />
_;
urlencode: http://php.net/urlencode
heredoc syntax: http://php.net/heredoc#language.types.string.syntax.heredoc
isset: http://php.net/isset
file_exists: http://php.net/file_exists
readfile: http://php.net/readfile
@ Error Control Operator: http://php.net/@
Regards,
Paul
__________________________
Paul Novitski
Juniper Webcraft Ltd.
http://juniperwebcraft.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
