Gibbs, Liam - SXIA wrote:
please send replies to the list ...I agree that there are risks - but I do think this can be done safelyCouldn't you just check the submitted URL and find out if it's a gif or jpeg? I don't think even PHP-enabled servers will run a gif or jpeg.
and you cant tell what type of file will be returned by the url
it is easy to set up a server to treat a file named foo.gif as a php file (or whatever)
even if you tested the url by attemting to download the file it would be easy to write a script that would return an innocent gif to requests originating for the webservers ip address - and anything else to the rest of the world.
I'm not sure what harm could be done by this though.
if a broswer attempts to load an image reference by an <img tag - but finds an unsuitable type of data - I would expect it simply to ignore it...
but this would be worth testing.
--
Sean
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
