Alternative to allow_url_fopen = YES

[bufster007]

Hi there,

I have recently moved my old site to a new server and made a few changes, however this server does not have allow_url_fopen turned ON due to the security risks so I was hoping someone could advise me of an alternative (to the new standard) as I'm unsure how to modify my old working script. Its to upload a new product, e.g. name, description and images.

I am using this code on a PHP Version 5.2.4 server to upload images:

PHP Code:

    //image one
    //code in image path
      $filepath1='httpdocs/test/php/img/';
    $filepath1 .=$_REQUEST['picture1'];
    //handle code for first image
    $isize=filesize($filepath1);
    $hndl=fopen($filepath1,"rb");
    //Display error message if no file is uploaded
    if (!$hndl) {
    echo "Cannot open file"; }
    //Add image data to variable for inserting
    $imgdata="";
    while(!feof($hndl)){
    $imgdata.=fread($hndl,$isize);
    }; 
    $imgdata=addslashes($imgdata);

   //insert new product details into the product table
   $sql = "INSERT INTO product SET 
   ... etc ...
   ProductImageSmall = '". $imgdata ."',

   $result = @mysql_query($sql); 


And I get these errors cause allow_url_fopen is off, and I don't want to turn it on since I will need to have it secure for customers etc.

HTML Code:

Notice: Undefined index: description in /usr/.../productupload.php on line 198

Warning: filesize() [function.filesize]: stat failed for httpdocs/test/php/img/71411019_full.jpg in /usr/.../productupload.php on line 277

Warning: fopen(httpdocs/test/php/img/71411019_full.jpg) [function.fopen]: failed to open stream: No such file or directory in /usr/.../productupload.php on line 278
Cannot open file
Warning: feof(): supplied argument is not a valid stream resource in /usr/.../productupload.php on line 284

Warning: fread(): supplied argument is not a valid stream resource in /usr/.../productupload.php on line 285

Do I need to provide any more information? Any help is appreciated!!!!!

[sde]

if there is an alternative, wouldn't that make turning off allow_url_fopen pointless?

that said, i think curl would do the trick.

[bufster007]

By alternative I mean that I want allow_url_fopen to remain as NO and not turn it on... as its apparently the old way to do it and is a security risk.

I don't quite understand what you mean by pointless comment, maybe you misunderstood my objective?

I will take a look at curl and give it a go, thanks.

Do you know any other way to upload an image into a database? That would work on my php version, doesn't require me to change the php.ini file and is secure?

[bufster007]

Hi

I just looked at curl, the excamples show it using fopen.

I don't think I can use fopen because that requires 'allow_url_fopen = ON'

And my new hosting server advised me they could turn it on in the php file but they said it would pose a security risk.

So I am after another way to upload a image into the database that doesn't require anything that needs allow_url_fopen = ON

Does that make sense? Sorry if it doesn't.

I thought there may be a new way to upload an image that is secure for PHP Version 5.2.4

So I can re-write the original code I have on my first post.

[sde]

here's an example i found.

PHP Code:

function get_web_page( $url )
{
    $options = array(
        CURLOPT_RETURNTRANSFER => true,     // return web page
        CURLOPT_HEADER         => false,    // don't return headers
        CURLOPT_FOLLOWLOCATION => true,     // follow redirects
        CURLOPT_ENCODING       => "",       // handle all encodings
        CURLOPT_USERAGENT      => "spider", // who am i
        CURLOPT_AUTOREFERER    => true,     // set referer on redirect
        CURLOPT_CONNECTTIMEOUT => 120,      // timeout on connect
        CURLOPT_TIMEOUT        => 120,      // timeout on response
        CURLOPT_MAXREDIRS      => 10,       // stop after 10 redirects
    );

    $ch      = curl_init( $url );
    curl_setopt_array( $ch, $options );
    $content = curl_exec( $ch );
    $err     = curl_errno( $ch );
    $errmsg  = curl_error( $ch );
    $header  = curl_getinfo( $ch );
    curl_close( $ch );

    $header['errno']   = $err;
    $header['errmsg']  = $errmsg;
    $header['content'] = $content;
    return $header;
} 


i'm curious if that works. let me know. i've never tested curl with allow_url_fopen=off

[falsepride]

subquestion in this thread. are you storing an image into a mysql table? if so i had no one could do that

[bufster007]

Hi Mike (sde)

Thanks for that example, I had a read through it and am at a loss to see which part of it uploads the image into the database.

My previous code does this I just don't want to use fopen (for security reasons).

However I am currently researching how to upload an image to the images directory in the file manager so maybe that way will work without using fopen?

Sorry for my newbness.

[bufster007]

P.S
I thought it would need to be in the database so that I can use it when I do a query to display all * from products etc.

[bufster007]

Sorry, going to add to this again...

I can use fopen, if it works with allow_url_fopen = NO

I modified my script to:

PHP Code:

$imgdata2 = addslashes(fread(fopen($_FILES['file']['tmp_name'], "r"), $_FILES['file']['size'])); 


It enters in the product text, but still doesn't upload the images.

[sde]

PHP Code:

<?php
$header=get_web_pagel('http://example.com/someimage.jpg');

$imgdata = imagecreatefromstring ($header['content']);

// insert here
?>

if that doesn't work, i'm not sure without trying it myself.

[sde]

hmm .. you probably don't even need the imagecreatefromstring() in there. just insert $header['content']

PHP Code:

<?php
$header=get_web_page('http://example.com/someimage.jpg');

$imgdata = $header['content'];

// insert here
?>

[bufster007]

Quote:

Originally Posted by sde

hmm .. you probably don't even need the imagecreatefromstring() in there. just insert $header['content']

PHP Code:

<?php
$header=get_web_page('http://example.com/someimage.jpg');

$imgdata = $header['content'];

// insert here
?>

Ok so I have tried this code, now I'm a little confused at why it has certain arguements to upload an image (selected off my computer).

1. Why is example.com there if I am selecting it from my computer? Do I change this to c:\foldername\ etc, I dont want to hardcode in an image name as I need to upload new products and their images dynamically.

2. What is 'content' substituting for

3. get_web_page is a function I am meant to be calling yes, I don't want to put in anything like PHP SELF etc as its already inside the function


What scripts to other people use to upload an image into the database?
And if you don't do that, what do you do? Upload a path into the database that points to an image folder? If I do this do I have to change all my query statements when displaying certain category records for the product table?

Thanks for your paitance, I'm sure this must seem straight forward to most of you but I'm lost at how this code handles a BLOB upload.

[DJMaze]

Quote:

Originally Posted by bufster007

By alternative I mean that I want allow_url_fopen to remain as NO and not turn it on... as its apparently the old way to do it and is a security risk.

I don't quite understand what you mean by pointless comment, maybe you misunderstood my objective?

There is a way make allow_url_fopen=off pointless. I wrote it here in an old topic.

In that topic i explain how to do it using fsockopen en overwriting the internal http wrapper.

Since you want your script to work with it turned off you can use parts of my idea by just using fsockopen() just without the http wrapper overwrite.

Examples are also available on PHP: fsockopen - Manual

To put data in a blob is easy.

PHP Code:

if ($http) {
    // fsockopen() stuff
    $fp = fsockopen();
} else {
    $fp = fopen();
}
$data = fread($fp);
$data = sql_real_escape_string($data);
query("INSERT INTO table (blob_field) VALUES ($data)"); 


[sde]

bufster: if the file is coming from your computer, then you're approaching this all wrong. you would need to be looking into 'uploading' files to your server.

that process has absolutely nothing to do with allow_url_fopen at all.


good idea DJM.. i didn't think about sockets

[bufster007]

Hi,

I have tried DJM's sugguestion... thought it may be easier then starting from the beginning if I have to change how all my other product queries are called but am beginning to think I may need to do it the "normal" way and "upload" files to the server, instead of database. I'm okay with that, uploading to the server that is, its just the code thats eluding me.

Anyhoo, back to the different way, using sockets. Have entered this code:

PHP Code:

    $fp = fsockopen("www.SITENAME.co.nz", 80, $errno, $errstr, 30);
    
        //upload1
    $data = $_REQUEST['picture1'];
    $data = fread($fp);
    $data = mysql_escape_string($data);
    
    //upload2
    $data2 = $_REQUEST['picture2'];
    $data2 = fread($fp);
    $data2 = mysql_escape_string($data2); 


with errors:

HTML Code:

Warning: Wrong parameter count for fread() in /usr/local/www/vhosts/.../productupload.php on line 311

Warning: Wrong parameter count for fread() in /usr/local/www/vhosts/.../productupload.php on line 317

Am going to see if I can find some examples to upload the normal way as you mentioned SDE, as its currently still uploading the text but not blogs.

As long as it doesn't require 'allow_url_fopen = ON'

Thanks again.