andrew30
asked on
Problems with adding text to image
I have a peice of code that adds some text to images on-the-fly for my image galleries. It works perfectly in normal instances. However when I pass a filename to my function that contains a ' (single quote) character the function does not return the new image with the text on - it doesn't return anything and I get an image not found box in my browser. It doesn't matter where in the filename the ' is (whether it be in a directory path or the filename itself).
I've tried escaping the ' and I've tried doubling the ' to '' but neither seem to work.
I'm running Suse Linux 8.1, Apache 1.3.27, php 4.3.0 compiled with in-built GD library and Mysql 3.23.55.
Here are the relevant code snippets:
It is called like this from my showphoto.php script
print "<img src=\"/includes/addtext.ph
where
img = image name (including path)
txt = text to show
loc = location of text
col = colour of text
$myrow is an array with results from a db query in it.
and here is addtext.php
<?php
$image = "./".$_GET["img"];
$txt = $_GET["txt"];
$pos = $_GET["loc"];
$col = $_GET["col"];
// Strip out any html tags from the txt text string (remove any hrefs or email links)
$txt = preg_replace("/<\/?\w+[^>]
$fnt = 2;
$pos = strtolower($pos);
$col = strtolower($col);
$src_img = ImageCreateFromJpeg($image
$img_x = ImageSX($src_img);
$img_y = ImageSY($src_img);
$white = ImageColorAllocate($src_im
$black = ImageColorAllocate($src_im
$font_w = imagefontwidth($fnt);
$font_h = imagefontheight($fnt);
$slen = strlen($txt);
$ad_text = "our web site";
$ad_len = strlen($ad_text);
switch ($col) {
case 'white':
case 'wh':
case 'w':
$txt_col = $white;
break;
case 'black':
case 'bl':
case 'b':
$txt_col = $black;
break;
default:
$txt_col = $black;
}
switch ($pos) {
case 'bl':
$str_x_pos = 5;
$ad_str_x_pos = 5;
$str_y_pos = ($img_y - (20 + $font_h));
break;
case 'br':
$str_x_pos = ($img_x - (($slen * $font_w) +5));
$ad_str_x_pos = ($img_x - (($ad_len * $font_w) +5));
$str_y_pos = ($img_y - (20 + $font_h));
break;
case 'tl':
$str_x_pos = 5;
$ad_str_x_pos = 5;
$str_y_pos = 5;
break;
case 'tr':
$str_x_pos = ($img_x - (($slen * $font_w) +5));
$ad_str_x_pos = ($img_x - (($ad_len * $font_w) +5));
$str_y_pos = 5;
break;
default:
$str_x_pos = 5;
$str_y_pos = ($img_y - (5 + $font_h));
}
imagestring($src_img, $fnt, $str_x_pos, $str_y_pos, $txt, $txt_col);
imagestring($src_img, $fnt, $ad_str_x_pos, $str_y_pos+15, $ad_text, $txt_col);
ImageJpeg($src_img,'',100)
ImageDestroy($src_img);
return(1);
?>
So, does anyone have any ideas how to make this code work with filenames that have single quotes in them? (Remember it works perfectly with filenames that don't have ' in them)
Thanks
Andrew
I've tried escaping the ' and I've tried doubling the ' to '' but neither seem to work.
I'm running Suse Linux 8.1, Apache 1.3.27, php 4.3.0 compiled with in-built GD library and Mysql 3.23.55.
Here are the relevant code snippets:
It is called like this from my showphoto.php script
print "<img src=\"/includes/addtext.ph
where
img = image name (including path)
txt = text to show
loc = location of text
col = colour of text
$myrow is an array with results from a db query in it.
and here is addtext.php
<?php
$image = "./".$_GET["img"];
$txt = $_GET["txt"];
$pos = $_GET["loc"];
$col = $_GET["col"];
// Strip out any html tags from the txt text string (remove any hrefs or email links)
$txt = preg_replace("/<\/?\w+[^>]
$fnt = 2;
$pos = strtolower($pos);
$col = strtolower($col);
$src_img = ImageCreateFromJpeg($image
$img_x = ImageSX($src_img);
$img_y = ImageSY($src_img);
$white = ImageColorAllocate($src_im
$black = ImageColorAllocate($src_im
$font_w = imagefontwidth($fnt);
$font_h = imagefontheight($fnt);
$slen = strlen($txt);
$ad_text = "our web site";
$ad_len = strlen($ad_text);
switch ($col) {
case 'white':
case 'wh':
case 'w':
$txt_col = $white;
break;
case 'black':
case 'bl':
case 'b':
$txt_col = $black;
break;
default:
$txt_col = $black;
}
switch ($pos) {
case 'bl':
$str_x_pos = 5;
$ad_str_x_pos = 5;
$str_y_pos = ($img_y - (20 + $font_h));
break;
case 'br':
$str_x_pos = ($img_x - (($slen * $font_w) +5));
$ad_str_x_pos = ($img_x - (($ad_len * $font_w) +5));
$str_y_pos = ($img_y - (20 + $font_h));
break;
case 'tl':
$str_x_pos = 5;
$ad_str_x_pos = 5;
$str_y_pos = 5;
break;
case 'tr':
$str_x_pos = ($img_x - (($slen * $font_w) +5));
$ad_str_x_pos = ($img_x - (($ad_len * $font_w) +5));
$str_y_pos = 5;
break;
default:
$str_x_pos = 5;
$str_y_pos = ($img_y - (5 + $font_h));
}
imagestring($src_img, $fnt, $str_x_pos, $str_y_pos, $txt, $txt_col);
imagestring($src_img, $fnt, $ad_str_x_pos, $str_y_pos+15, $ad_text, $txt_col);
ImageJpeg($src_img,'',100)
ImageDestroy($src_img);
return(1);
?>
So, does anyone have any ideas how to make this code work with filenames that have single quotes in them? (Remember it works perfectly with filenames that don't have ' in them)
Thanks
Andrew
could you comment out the ereg_replace() call and give it a try ?
ASKER
I've commented out the preg_replace near the top of addtext.php (if that's what you meant) and it made no difference.
ASKER
VGR,
Since it seems to be linked to the filename, do you think there could be an issue with the ImageCreateFromJpeg function?
BTW Thank you for helping me.
Since it seems to be linked to the filename, do you think there could be an issue with the ImageCreateFromJpeg function?
BTW Thank you for helping me.
could be. Cold you echo somewhere (file, screen, DB) the $image value received in the function via $_GET[] ?
ASKER
Ok, wrote the $image value out to a file, for the image ../photos/blenheim/'r3281'
the result is
../photos/blenheim/\\\'r32
Having seen this (and thinking that there may be a few to many slashes there!) I tried removing the addslashes from the print statement used to call the addtext function and I get the result now
../photos/blenheim/\'r3281
but still no image.
FIXED!
I have removed the addslashes and the urlencode from around the $myrow["url"] in the print statement in showphoto.php and added $image = str_replace("\'","'",$imag
and it now shows them perfectly!
But does the fact that I'm not urlencoding and adding slashes now give me a security problem? - anyone could pass a string via the img parameter that I will automatically try and create an image from.
Many thanks for your assistance VGR
the result is
../photos/blenheim/\\\'r32
Having seen this (and thinking that there may be a few to many slashes there!) I tried removing the addslashes from the print statement used to call the addtext function and I get the result now
../photos/blenheim/\'r3281
but still no image.
FIXED!
I have removed the addslashes and the urlencode from around the $myrow["url"] in the print statement in showphoto.php and added $image = str_replace("\'","'",$imag
and it now shows them perfectly!
But does the fact that I'm not urlencoding and adding slashes now give me a security problem? - anyone could pass a string via the img parameter that I will automatically try and create an image from.
Many thanks for your assistance VGR
ASKER
Ok, wrote the $image value out to a file, for the image ../photos/blenheim/'r3281'
the result is
../photos/blenheim/\\\'r32
Having seen this (and thinking that there may be a few to many slashes there!) I tried removing the addslashes from the print statement used to call the addtext function and I get the result now
../photos/blenheim/\'r3281
but still no image.
FIXED!
I have removed the addslashes and the urlencode from around the $myrow["url"] in the print statement in showphoto.php and added $image = str_replace("\'","'",$imag
and it now shows them perfectly!
But does the fact that I'm not urlencoding and adding slashes now give me a security problem? - anyone could pass a string via the img parameter that I will automatically try and create an image from.
Many thanks for your assistance VGR
the result is
../photos/blenheim/\\\'r32
Having seen this (and thinking that there may be a few to many slashes there!) I tried removing the addslashes from the print statement used to call the addtext function and I get the result now
../photos/blenheim/\'r3281
but still no image.
FIXED!
I have removed the addslashes and the urlencode from around the $myrow["url"] in the print statement in showphoto.php and added $image = str_replace("\'","'",$imag
and it now shows them perfectly!
But does the fact that I'm not urlencoding and adding slashes now give me a security problem? - anyone could pass a string via the img parameter that I will automatically try and create an image from.
Many thanks for your assistance VGR
And to think, I was just about to say:
$txt = strip_slashes(preg_replace
That would fix the problem.
-Jackson
$txt = strip_slashes(preg_replace
That would fix the problem.
-Jackson
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
PAQ with points refunded
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
snoyes_jw
EE Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup topic area:
PAQ with points refunded
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
snoyes_jw
EE Cleanup Volunteer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.