?
Solved

Problems with adding text to image

Posted on 2003-03-26
9
Medium Priority
?
183 Views
Last Modified: 2010-08-05
I have a peice of code that adds some text to images on-the-fly for my image galleries. It works perfectly in normal instances. However when I pass a filename to my function that contains a  ' (single quote) character the function does not return the new image with the text on - it doesn't return anything and I get an image not found box in my browser. It doesn't matter where in the filename the ' is (whether it be in a directory path or the filename itself).

I've tried escaping the ' and I've tried doubling the ' to '' but neither seem to work.

I'm running Suse Linux 8.1, Apache 1.3.27, php 4.3.0 compiled with in-built GD library and Mysql 3.23.55.

Here are the relevant code snippets:

It is called like this from my showphoto.php script

print "<img src=\"/includes/addtext.php?img=../photos/".urlencode(addslashes($myrow["url"]))."&txt=".urlencode("Copyright ".$myrow["taken_by"])."&loc=".$loc."&col=".$col."\" alt=\"".$myrow["alt_text"]."\">";

where
img = image name (including path)
txt = text to show
loc = location of text
col = colour of text
$myrow is an array with results from a db query in it.

and here is addtext.php
<?php
     $image = "./".$_GET["img"];
     
     $txt = $_GET["txt"];
     $pos = $_GET["loc"];
     $col = $_GET["col"];
     
     // Strip out any html tags from the txt text string (remove any hrefs or email links)
     $txt = preg_replace("/<\/?\w+[^>]*>/","",$txt);

     $fnt = 2;
     $pos = strtolower($pos);
     $col = strtolower($col);
     $src_img = ImageCreateFromJpeg($image);
     $img_x = ImageSX($src_img);
     $img_y = ImageSY($src_img);

     $white = ImageColorAllocate($src_img, 255, 255, 255);
     $black = ImageColorAllocate($src_img, 0, 0, 0);

     $font_w = imagefontwidth($fnt);
     $font_h = imagefontheight($fnt);
     $slen = strlen($txt);
     $ad_text = "our web site";
     $ad_len = strlen($ad_text);

     switch ($col) {
          case 'white':
          case 'wh':
          case 'w':
               $txt_col = $white;
               break;
          case 'black':
          case 'bl':
          case 'b':
               $txt_col = $black;
               break;
          default:
               $txt_col = $black;
          }

     switch ($pos) {
         case 'bl':
             $str_x_pos = 5;
             $ad_str_x_pos = 5;
             $str_y_pos = ($img_y - (20 + $font_h));
          break;
         case 'br':
             $str_x_pos = ($img_x - (($slen * $font_w) +5));
             $ad_str_x_pos = ($img_x - (($ad_len * $font_w) +5));
             $str_y_pos = ($img_y - (20 + $font_h));
          break;
         case 'tl':
             $str_x_pos = 5;
             $ad_str_x_pos = 5;
             $str_y_pos = 5;
          break;
         case 'tr':
             $str_x_pos = ($img_x - (($slen * $font_w) +5));
             $ad_str_x_pos = ($img_x - (($ad_len * $font_w) +5));
             $str_y_pos = 5;
          break;
         default:
             $str_x_pos = 5;
             $str_y_pos = ($img_y - (5 + $font_h));
          }

     imagestring($src_img, $fnt, $str_x_pos, $str_y_pos, $txt, $txt_col);
     imagestring($src_img, $fnt, $ad_str_x_pos, $str_y_pos+15, $ad_text, $txt_col);

     ImageJpeg($src_img,'',100);
     ImageDestroy($src_img);

     return(1);

?>

So, does anyone have any ideas how to make this code work with filenames that have single quotes in them? (Remember it works perfectly with filenames that don't have ' in them)

Thanks
Andrew
0
Comment
Question by:andrew30
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 15

Expert Comment

by:VGR
ID: 8208879
could you comment out the ereg_replace() call and give it a try ?
0
 

Author Comment

by:andrew30
ID: 8208998
I've commented out the preg_replace near the top of addtext.php (if that's what you meant) and it made no difference.


0
 

Author Comment

by:andrew30
ID: 8209052
VGR,

Since it seems to be linked to the filename, do you think there could be an issue with the ImageCreateFromJpeg function?

BTW Thank you for helping me.
0
Video: Liquid Web Managed WordPress Comparisons

If you run run a WordPress, you understand the potential headaches you may face when updating your plugins and themes. Do you choose to update on the fly and risk taking down your site; or do you set up a staging, keep it in sync with your live site and use that to test updates?

 
LVL 15

Expert Comment

by:VGR
ID: 8209080
could be. Cold you echo somewhere (file, screen, DB) the $image value received in the function via $_GET[] ?
0
 

Author Comment

by:andrew30
ID: 8209315
Ok, wrote the $image value out to a file, for the image ../photos/blenheim/'r3281'/ajd160-06.jpg

the result is

../photos/blenheim/\\\'r3281\\\'/ajd160-06.jpg

Having seen this (and thinking that there may be a few to many slashes there!) I tried removing the addslashes from the print statement used to call the addtext function and I get the result now

../photos/blenheim/\'r3281\'/ajd160-06.jpg

but still no image.

FIXED!

I have removed the addslashes and the urlencode from around the $myrow["url"] in the print statement in showphoto.php and added $image = str_replace("\'","'",$image); after the line $image = "./".$_GET["img"]; at the top of addtext.php.

and it now shows them perfectly!

But does the fact that I'm not urlencoding and adding slashes now give me a security problem? - anyone could pass a string via the img parameter that I will automatically try and create an image from.

Many thanks for your assistance VGR
0
 

Author Comment

by:andrew30
ID: 8209733
Ok, wrote the $image value out to a file, for the image ../photos/blenheim/'r3281'/ajd160-06.jpg

the result is

../photos/blenheim/\\\'r3281\\\'/ajd160-06.jpg

Having seen this (and thinking that there may be a few to many slashes there!) I tried removing the addslashes from the print statement used to call the addtext function and I get the result now

../photos/blenheim/\'r3281\'/ajd160-06.jpg

but still no image.

FIXED!

I have removed the addslashes and the urlencode from around the $myrow["url"] in the print statement in showphoto.php and added $image = str_replace("\'","'",$image); after the line $image = "./".$_GET["img"]; at the top of addtext.php.

and it now shows them perfectly!

But does the fact that I'm not urlencoding and adding slashes now give me a security problem? - anyone could pass a string via the img parameter that I will automatically try and create an image from.

Many thanks for your assistance VGR
0
 

Expert Comment

by:jaxn
ID: 8213631
And to think, I was just about to say:

$txt = strip_slashes(preg_replace("/<\/?\w+[^>]*>/","",$txt));

That would fix the problem.

-Jackson
0
 
LVL 33

Expert Comment

by:snoyes_jw
ID: 11942611
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup topic area:
    PAQ with points refunded

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

snoyes_jw
EE Cleanup Volunteer
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
ID: 11981187
PAQed, with points refunded (100)

Netminder
Site Admin
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question