Member Avatar for Stefce

How do i get the name of the image without the extension at the end ex. (.jpg) i got this code

functions.php

function get_image($id="1") {
?>
    <img class="img-responsive img-portfolio img-hover" name="picture" src="images/gallery/<?= urldecode(base64_decode($id)); ?>" alt="">
<?php
}

pictures.php

<center>
    <form action="" method="POST">
        <div class="col-lg-12">
            <?php
                get_image($imageID); // $imageID is read from database
            ?>
        </div>
    </form>
</center>
Edited by Stefce
  • 2 Contributors
  • 2 Replies
  • 546 Views
  • 7 Hours Discussion Span
  • Latest Post Latest Post by cereal
Member Avatar for Stefce

Sorry my mistake the variable $imageID is not taken from database its $_GET Method from URL in another function:

function img($path) {
    $folder = "images/$path";
    $i = 0;
    if (is_dir($folder)) {
        if ($handle = opendir($folder)) {
            while (($file = readdir($handle)) != FALSE) {
                if ($file === "." || $file === ".." || $file === "index.html") { continue; }

                ?>
                    <div class="col-md-4 img-portfolio">
                        <a href="pictures.php?imageID=<?= base64_encode($file); ?>">
                            <img class="img-responsive img-hover" src="<?= $folder ?>/<?= $file ?>" style="width: 350px;
                            height: 350px;" alt="">
                        </a>
                    </div>
                <?php

            }
            closedir($handle);
        }
    }
}

and than passed in pictures.php file as
<?php $imageID = $_GET["imageID"]; ?>

Edited by Stefce
Member Avatar for cereal

Hi! You can use pathinfo() or a directory iterator:

$ext = pathinfo($file)['extension'];

BUT right now the img() function can, potentially, allow the access to the contents of any directory on the server, by adding ../ to the variable, as example you can write the following and access /etc/:

pictures.php?imageID=images/../../../../etc

It depends on the position of the document root in the file system. You could use an integer and make sure it's valid, for example:

$imageID = filter_input(INPUT_GET, 'imageID', FILTER_VALIDATE_INT, ['options' => ['default' => NULL]]);

if(TRUE === is_null($imageID))
{
    # redirect or show 404
}

# continue if $imageID is valid

See also: https://www.owasp.org/index.php/Path_Traversal

commented: thank you @cereal +2
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.