Author Topic: Passing filenames to a php script?  (Read 1706 times)

0 Members and 1 Guest are viewing this topic.

Offline Cienega32

  • Forecaster
  • *****
  • Posts: 2635
    • East Mesa Weather
Passing filenames to a php script?
« on: January 07, 2009, 12:39:03 AM »
I'm not sure if this area is only for the scripts provided in the sticky but ...

I'm fiddling around with a jpg resizing script that works fine with the in and out filenames assigned to variables within the script. The idea is to have it run when entering the webpage or upon a refresh. It takes a static-name/changing image fullsize jpg from one directory, thumbnails it and displays it in a different page. It works fine at this point; filenames hardcoded in the script.

What I'm trying to do is have the file names passed TO the script so I can use it anywhere for any jpg.

So far, I'm up to having the script work with:

"script.php?in=infilename&out=outfilename"

and the script processing it as:

$infile = $_GET["in"];
$outfile = $_GET["out"];


Everything processes fine and the desired results are there but I'm thinking that I would like to just use it as "script.php infilename outfilename" without the "?in=/&out=" stuff. I thought I could use $argv but apparently I haven't read enough about it to get it to work for me, which is how I ended up with the $GET thing which DOES work after some minimal reading.

I'm just wondering about how to simplify the command line?



Pat ~ Davis VP2 6153-Weatherlink-Weather Display-StartWatch-VirtualVP-Win7 Pro-64bit
www.LasCruces-Weather.com   www.EastMesaWeather.com

Offline saratogaWX

  • Administrator
  • Forecaster
  • *****
  • Posts: 9244
  • Saratoga, CA, USA Weather - free PHP scripts
    • Saratoga-Weather.org
Re: Passing filenames to a php script?
« Reply #1 on: January 07, 2009, 02:19:10 AM »
Oooh... this is not a safe idea to put on your website.

Any parameter from the URL invoking the script should be UNTRUSTED .. it's the way hackers get your script to execute an exploit on your website.  If you must pass a file parameter safely, then do it with a lookup of allowed filenames and associated allowed output filenames, and if it's not in your list, exit the script.

Something like
Code: [Select]
<?php
$infile 
$_REQUEST['in'];

$allowedFiles = array(
'file1.jpg' => 'outfile1.jpg',
'infile2.jpg' => 'outfile2.jpg',
// ... etc
);

if (! isset(
$allowedFiles[$infile])) {
// not on our list
   
exit;
}
// 
$outfile $allowedFiles[$infile];

// do your stuff with a good $infile and $outfile
?>

That way, your script can't be abused in ways that could compromise your website/webserver.

BTW.. if you're invoking the script from an URL, then the script.php?in=infilename.jpg method needs to be used.
Webservers don't have 'command lines' unless you're running the script as a shell script (part of a cron job?), in
which case the command should be
/usr/local/bin/php -q script.php infilename.jpg

and the script could use $_ARGS[1] instead of $_GET['in'], but it wouldn't work as an URL anymore.


Best regards,
Ken
Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis VP1+ FARS, Blitzortung RED, GRLevel3, WD, WL, VWS, Cumulus, Meteobridge
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP

Offline Cienega32

  • Forecaster
  • *****
  • Posts: 2635
    • East Mesa Weather
Re: Passing filenames to a php script?
« Reply #2 on: January 07, 2009, 05:40:21 AM »
Thanks Ken! I just put in your NOAA reports script the other day - love it.

I had that concern with the $argv . I think I concluded that allowing that array was something that needed to be told to turn on at the server(just guessing as it didn't work out of the box for me) and if so, it might be better off, being it seemed anything could be passed.

With the GET, it seemed a better idea (read as 'easier') but still allowing anything even with coding the file extension in the script. Your suggestion makes solid sense to me; giving a list of "OK parameters" that can be expanded when needed AND already knowing the outfile name while only running one script .

Right now, it just returns the "outfile" (a thumbnail) to a "<img src="  tag in the HTML. The filenames are not user inputted but rather part of the html code. The idea was to not update the "outfile" unless it was being looked at and to avoid doing them (all whopping 3 of them :roll:...) all at once; trying to be efficient. The infile (fullsize jpeg) is always uploaded/updated but I figured, with the little traffic I have, it would reduce some overhead by only running the needed jpeg when needed.

Then, of course, I acknowledged that different pages might have different "outfile" thumbnails and wanted to reduce the typing/typos/simplify the usage. I think your suggestion hits it for me - thanks. I'll play with it tomorrow.




PHP is still a foggy learning process for these impatient old brain cells, as must be obvious, but I am having some fun with the simple stuff. BUT the ability for El Diablo to manipulate a scenerio because of open, passed parameters caused me to ask so I must be learning something...  :idea:

Pat ~ Davis VP2 6153-Weatherlink-Weather Display-StartWatch-VirtualVP-Win7 Pro-64bit
www.LasCruces-Weather.com   www.EastMesaWeather.com

 

anything