|
|
Posted by OmegaJunior on 02/26/07 23:28
On Mon, 26 Feb 2007 13:29:36 +0100, shror <shahirwm@gmail.com> wrote:
>
> thanks for your answer OmegaJunior,
>
> i have tried the first method and i made a little bit small change and=
> it worked but i want to know about it and the draw back,
>
> what i did is:
> <input type=3D"radio" value=3D"<img src=3D"www.mydomain.com/directory/=
> image.gif">" name=3D"nature">
>
> and i call it in the second page gallery.php in this way:
> <?php
> $picture =3D $_POST['nature'];
> echo "$picture";
> ?>
>
> what do you think about this is it the same having the same drawback
> or its different, am sorry if my question means nothing but am still
> beginner in php, so i dont know how any person with ill intent
> could make it load any file at all.
Adding the entire <img> element into the radiobutton value is a creative=
=
idea, but unfortunately you'll get into trouble with the quotes and the =
=
html validity. Instead, you may want to try something like this in your =
=
form:
<input type=3D"radio" value=3D"sun" name=3D"image">
and this in your form handler:
<?php
$picture =3D $_POST['image']; //will now contain 'sun'
echo '<img src=3D"http://www.yourdomain.com/nature/'.$picture.'.jpg">'=
;
?>
The security problem comes in when someone creates a form on their own =
server like so:
<form action=3D"http://www.yourdomain.com/gallery.php" method=3D"post">
<input type=3D"radio" value=3D"../veryhidden.txt" name=3D"nature">
<input type=3D"submit" value=3D"OK">
</form>
That way they can have your gallery.php show the file 'veryhidden.txt' i=
n =
the root directory of your site, unless you specifically test for the =
validity of the information passed to your gallery.php. Doesn't hurt if =
=
you don't have a 'veryhidden.txt' file, but you get the idea. Hackers wi=
ll =
just guess some very common file names.
>
> -------------------------------------------------------------------
> about the second way,
>
> i dont know about mime-type header!
>
> what is it and its use and how to set it.
>
It's just about being nice to the browser. Check out the 'header()' =
function on www.php.net. One of the ways to use it is like this:
header('content-type: image/jpg');
If used, it should be the first thing after <?php, and <?php should be t=
he =
first thing in your php file.
By supplying this, you can tell the browser what kind of file to expect.=
=
Thus if you hand the browser an image you'd tell it to expect a mime-typ=
e =
of 'image/jpg', 'image/png', 'image/gif' or whatever image you're =
supplying. And if you hand the browser a web page you'd tell it to expec=
t =
a mime-type of 'text/html'.
In your case, because you're going to be printing html containing an img=
=
element to the browser, you'd either supply a header like 'content-type:=
=
text/html', or none at all, because for php files the default content-ty=
pe =
usually already is set to text/html.
-- =
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Navigation:
[Reply to this message]
|