0

How do i get the name of the image without the extension at the end ex. (.jpg) i got this code

functions.php

function get_image($id="1") {
?>
    <img class="img-responsive img-portfolio img-hover" name="picture" src="images/gallery/<?= urldecode(base64_decode($id)); ?>" alt="">
<?php
}

pictures.php

<center>
    <form action="" method="POST">
        <div class="col-lg-12">
            <?php
                get_image($imageID); // $imageID is read from database
            ?>
        </div>
    </form>
</center>

Edited by Stefan_1

2
Contributors
2
Replies
23
Views
4 Months
Discussion Span
Last Post by cereal
0

Sorry my mistake the variable $imageID is not taken from database its $_GET Method from URL in another function:

function img($path) {
    $folder = "images/$path";
    $i = 0;
    if (is_dir($folder)) {
        if ($handle = opendir($folder)) {
            while (($file = readdir($handle)) != FALSE) {
                if ($file === "." || $file === ".." || $file === "index.html") { continue; }

                ?>
                    <div class="col-md-4 img-portfolio">
                        <a href="pictures.php?imageID=<?= base64_encode($file); ?>">
                            <img class="img-responsive img-hover" src="<?= $folder ?>/<?= $file ?>" style="width: 350px;
                            height: 350px;" alt="">
                        </a>
                    </div>
                <?php

            }
            closedir($handle);
        }
    }
}

and than passed in pictures.php file as
<?php $imageID = $_GET["imageID"]; ?>

Edited by Stefan_1

2

Hi! You can use pathinfo() or a directory iterator:

$ext = pathinfo($file)['extension'];

BUT right now the img() function can, potentially, allow the access to the contents of any directory on the server, by adding ../ to the variable, as example you can write the following and access /etc/:

pictures.php?imageID=images/../../../../etc

It depends on the position of the document root in the file system. You could use an integer and make sure it's valid, for example:

$imageID = filter_input(INPUT_GET, 'imageID', FILTER_VALIDATE_INT, ['options' => ['default' => NULL]]);

if(TRUE === is_null($imageID))
{
    # redirect or show 404
}

# continue if $imageID is valid

See also: https://www.owasp.org/index.php/Path_Traversal

Votes + Comments
thank you @cereal
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.