it does output both the filename and the filesize correctly, indicating that PHP is working on my server.
What are we doing wrong? Is something not configured correctly? The directory structure of my site is: root > html > gallery. The x.jpg file is in the gallery directory.
At a guess, $filename doesn’t point to an existing or accessible file. Print out $filename to see what it contains, and check the file/directory permissions.
But we have to know where it’s getting the $filename variable from…
I don’t know i your developer is willing, but can you copy/paste the content of said script to www.pastebin.com and either post the URL here or even, if the script is ENORMOUS, post the content of the script here…
It’s impossible to debug from snippets of code for the most part.
What you are trying to do, only works when register_globals is on. According to your phpinfo(), it’s off. It should be, because register_globals opens up entire categories of security problems.
With register_globals off, you can access the variables from the GET request like this: $_GET[‘filename’] .
On your own server, register_globals is apparently enabled. You should turn it off ASAP, if at all possible, unless you are very certain that all of your PHP applications have been very carefully written to correctly deal with implicit globals.
If the code in the OP is all the code, you should note that because of security issues, newer PHP installations don’t automatically create variables from query parameters by default (i.e. page.php?stuff=value does not create a $stuff variable)
You’d need something like
$filename = $_GET['filename']
to set the $filename variable and proceed from there.
By the way, speaking about security, allowing callers to supply filenames to your PHP script through GET request is another very, very bad practice. Now, as long as filesize is the only function you call on it, the risks shouldn’t be too great, but as soon as you do more than that you’d better check your input very, very carefully.
OK. That’s all that this script will be used for, so far as I know.
So, please spell this out for me.
What’s the complete correct code so that the original script
echoes the filesize of the file x.jpg when the following request is made:
…/gallery/fs.php?x.jpg
Or what if I were to turn global_registers on. Is this a really bad idea? Even if it is, how would I do so? Where do I find the php.ini file, and how do I access it?
It’s always best to do one of the following things for security;
Set a fixed folder where files will go, make sure the script won’t look outside of that folder.
IE:
/images/photos > Make sure it can never look outside of the /images/photos folder (make sure people can’t issue …/… or ./, etc.
Have a script go through and create an index of all the available files and put those into an array, make sure the script only uses the array of available images for that information - you can even hide the filename by referencing it with the array key.
IE:
$imgarray = array(“abc123.jpg”, “xyz321”);
Someone asks for the first image, they would see this in the url:
?image=0 (the script would then return the first image, abc123.jpg).
Many things you can do to make your scripts highly secure, and they require very little effort either way.
Basically, to clarify, this is what’s going on (so far as I know):
My Flash programmer from Hungary needed to use PHP to check file sizes, in order to create progress bars for loading images. Simple enough. The code worked on his website, but not on mine. I suppose he must have an older version of PHP which defaults to register_globals on. So, as the web site runs now, the progress bars are useless and don’t tell you any correct information.
Notice the difference between how the progress bars on the bottom of the picture work here:
On a UNIX-like machine (e.g. FreeBSD or Linux), the php.ini file is typically located in the /etc directory. On Windows, I believe it’s usually \Windows\System32. Also, depending on your Apache setup, placing a php.ini file in the root directory of your webserver’s content directory (e.g. /var/www or C:\inetinfo\wwwroot) may also work.
Either way, the following script should work no matter what register_globals is set to:
