On 10/08/2021 20:34, JEFFRY KILLEN wrote:
On Aug 10, 2021, at 11:30 AM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote:
On 10/08/2021 19:12, JEFFRY KILLEN wrote:
On Aug 10, 2021, at 10:19 AM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote:
On 10/08/2021 17:43, JEFFRY KILLEN wrote:
On Aug 10, 2021, at 12:12 AM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote:
On 10 August 2021 01:36:01 BST, JEFFRY KILLEN <jekillen@xxxxxxxxxxx> wrote:
Hello;
I have a web page I am developing.
It has images embedded in it.
The src attribute is ./?tag=guitar&type=img
The php code from the html file is:
</php
// preliminary irrelevant code
require_once('php/imageServer.php');
if($_GET['tag'])
{
//// file_put_contents('test.txt', "Hello?...img...");
/*
the following was working before I expanded it out to running code as written.
it still should work.
(new _IMG_SERV())->serv($_GET);
*/
$_x = new _IMG_SERV();
$_x->serv($_GET);
}
?>
the serv method in the class is
public function serv($_a)
{
file_put_contents('test.txt', "Hello?...img...");
switch($_a['type'])
{
case 'img':
header('Content-Type: image/jpeg');
imagedestroy(imagejpeg(imagecreatefromjpeg(self::$_imgDir.self::$_imgIndex[$_a['tag']])));
break;
case 'txt':
if(file_exists(self::$_imgDir.self::$_txtIndex[$_a['tag']]['img']))
{
header('Content-Type: image/jpeg');
imagedestroy(imagejpeg(imagecreatefromjpeg(self::$_txtIndex[$_a['tag']]['img'])));
}
else
{
/*
create text image, save for future ref and serve
*/
}
break;
}
}
This HAS all been working up to a point. BUT the serv function is now refusing to run.
There are no php, javascript or html related errors.
You will see 'file_put_contents('test.txt', "Hello?...img...");'
Because this is an async request for a resource I cannot use print or echo to sample
code progress. So I have strings written to a text file. The call to file_put_contents('test.txt', "Hello?...img...");
in the top of the serv method is not running. It IS running in the top of the get conditional in the index page
if I uncomment it.
Does anyone know why apache and/or php, and/or possibly the browser would fail to serve a resource
like this when it so far has been working most of the day today? I cannot see anything I have done wrong.
data:
MacOS High Sierra, apache on localhost
Thank you for time and attention;
JK
You say there are no errors, but presumably that just means none being displayed? Have you looked at the error logs?
Also, the imagedestroy calls here aren't really necessary, as you should be exiting immediately after outputting the image data.
I don't have my server set up to log errors. It is a dev server on local host.
I use Firefox as dev/test browser. It has dev tools, one of which is network.
The requests for image resources represented by the get queries are returning
200, ok. and the image is not displayed. Only the alt string is displayed.
However I did make some subtile changes just before the problem appeared. I am going to roll back those
changes and see what happens. The changes should not be invalid. It just amounts to when the php script
has a full version of resource path.
self::$_imgDir.self::$_imgIndex[$_a['tag']]
Where self::@_imgDir is a string representing the directory location
and self::$_imgIndex[$_a['tag']] is the file name.
I used to have the complete path/file name in self::$_imgIndex.
self::$_imgIndex is set with the contents of an external php script that is required by the class __construct method.
Thank you for time and attention
JK
Turn on error logs locally, they're absolutely essential for local development. There's also a pretty good case to turn on the display of errors locally too (which is different from error logging to a log file).
As for the image, you say you see the alt text, but you shouldn't see that if you're requesting only the image, as the alt attribute it part of the HTML, and you can't send mixed content via the same request with PHP that I'm aware of.
--
Ashley Sheridan
https://www.ashleysheridan.co.uk
I do get php error displayed locally. But not for async requests in the usual manner.
The alt attribute of the img tag is html. It is what is displayed if the image does
not arrive at the browser, as in case the server cannot find the file. Or in this
case the image is not being sent. The image is not being sent because the
serv method is being blocked from executing.
if the php interpreter is doing background security audits why did it take so
many test runs for it to decide the code was insecure or otherwise objectionable?
I did roll back the subtile changes mentioned in my earlier response with no improvement.
When I work with 'ajax' async requests often errors generated by php are included
in the response and are not displayed in lew of the html. So logging would
capture these errors?
Thank you for your responses;
JK
I don't really understand what you mean by async requests. You're displaying an image with an `<img>` tag. Copy that URL into your browser to request _only_ the image. What does that show you?
I did mention that error logging and error display are two different things. One outputs to the browser, the other to a log file within the standard Apache/Nginx/IIS log area (or a specific directory if you've set up the site to do that). If you're outputting an image, and the error occurs _after_ you've sent the image content headers, the result will be garbage that your browser won't know how to display, so it will likely show nothing, which is why the log _file_ is most important here. I suspect that logging is still happening, as it's highly unusual for it to ever be disabled, and I don't know why anyone would ever want to.
The PHP interpreter is not doing security checks on your code. I believe that the point you've rolled back to is in-fact not the last place it ran successfully. If in doubt, a versioning tool like Git is invaluable, as you can create branches and roll back to any arbitrary point you made a commit if you wish.
--
Ashley Sheridan
https://www.ashleysheridan.co.uk
'async' means that a request is sent outside of the main browser thread as I understand it. it is an option in the javascript xmlHttpRequest object.
In this case I am not using that.
When the browser sees a src attribute such as in a script tag or css reference, or an img src attribute it sends an aync request. With an async request
the page does not reload.
I have successfully used get queries as src for script tags and for css style sheet files.
I have also run into situations similar to this that DID resolve to problems with my code.
you could call the use of file_put_contents as a fast and dirty method of logging.
I have had web sites and hosting services and have looked at error logs that are kept on those
servers. But to tell the truth I don't know where the default logs are kept. I don't see any in the Apache
doc root dir, where I am doing all my local work.
By the way the php version being used on this machine is PHP Version 7.1.33.
In the browser dev tools, network section, the request sent for the img src is marked with response 200
but the actual request cycle end is 'waiting'. That indicates to me that the serv method is not executing
as it should. The lack of the string it is supposed to write to the test.txt file means that, as the very first
instruction, it is not be run.
As for security audits, I have had an situation where I was try to use an 'ajax' async request to initiate
download scripts and they were being blocked. From a query to a forum, I got a response that it was
probably due to security concerns. I could not find anything wrong with my code.
It is probably best if I say what I am trying to do. I am trying to obscure resource locations for intellectual
property that might other wise be copied and used without permission, such as photographs or other image
based graphics.
In this project I have an on/off toggle state for an image. in the off state the image is subject to copy. But
I still have the src set to the get query. In the on state, the img element is removed. It is a child element of
a div tag. The background style attribute of the div tag is set to the image with opacity set to about 50%.
So the page background tile is visible through the image. A screen shot of the image will include the shadow
background tile.
in the on state (protected) the image will not be included if the user uses 'Save' (web page complete) in the browser.
Later I planned on creating a watermark masking image.
But I can image the flood of objections and other ideas.
Thank your for responses.
JK
The browser initiating the image request on its own doesn't make a bit
of difference, you can make that same request by copying the URL in the
`<img>` tag and pasting that, especially as it's a GET request (POST,
etc are more involved, but not difficult, even in a browser).
You don't need to do `file_put_contents()` for logging. Firstly, that's
not true error logging and won't have things like a stack trace.
Secondly, it can result in the file being overwritten by whatever wrote
to it last unless you're setting the file to append mode, all of which
you get for free from the real logs that your web server writes. Some
browsers can make multiple hits to the same GET resource in order to
speed it up by requesting different parts. There's a lot to this that
make it a bit more complex and hard to determine when this will happen,
but it's something I've seen happen before.
These logs go in `/var/log/apache2/` typically on a Linux system,
although the exact location will be listed if you run `phpinfo()` on the
site locally.
As for the security concerns, those won't be PHP. I would guess that you
ran into a CORS request, which typically get blocked by browsers without
the right headers being set to allow such cross-domain requests.
Now you mentioned the PHP version, I've seen that sometimes a new
installation of PHP 7+ won't always enable the GD methods by default
(it's just an ini setting to allow that module as it's still installed).
This will also show up in the logs.
--
Ashley Sheridan
https://www.ashleysheridan.co.uk