phpbb2 security question with external images

Posted on 2010-03-23
Medium Priority
Last Modified: 2013-11-11
Hi to everybody,

I run a phpbb2 forum and users can use bbcode to include external images (from other servers) inside their topics. recently i got a problem because a the browser opened a autentification window for some topics. The problem was that a directory from an external server with images needed autentification and since some images was connected with some topics the browser ask inside my forum for the autentification from the external image.

My question is: Can i avoid this somehow? Is there a way to adjust phpbb2 to not even try opening a extern content if there is a autentification needed? or is the only way to simply not allow external images inside my forum? (which would be bad)

thanks for some ideas in advance,

Question by:Oliver2000
  • 3
  • 2
LVL 16

Expert Comment

ID: 28437435
The only way for you to control this would be for you to use your server as a proxy.  Your server could load all the external images and then only display them if they were available.

Author Comment

ID: 28442506
I am thinking about a php script that acctually load the images?

Something like <img src="image.php">
and make the image.php dont do anything else as to load the image? But I have no idea how to accomplish this really.

How i get my server to load external images first?
LVL 16

Expert Comment

ID: 28461088
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.


Author Comment

ID: 28463363
Hi Hankknight,

just to understand you right. You mean to JUST pull the images through the proxy server right? not all content? Could work but i guess this is way more complicated as to only load the images via a php script.

how ever, thanks for the tip, i am going to take a closer look now into your idea.
LVL 35

Accepted Solution

Slick812 earned 2000 total points
ID: 28480304
hello Oliver2000, , I would think a more simple way to check on the validity of an image URL would be to use the PHP CURL
you can see if the URL is there and see if it returns the correct content_type, and see if the http_code is 200 (you get a 401 for restricted access), you can try the code below, to test it out.
if you haven't used curl before, ask questions
<html><head><title>CURL File Info</title></head><BODY BGCOLOR="#E3F7FF"><center><h2>CURL File Info Page</h2>
ini_set("display_errors", 1);
$ch = curl_init();// use the curl
if ($ch) {
	curl_setopt($ch, CURLOPT_URL,'http://www.getimage.com/here/rest.gif');
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_TIMEOUT, 2); // you absolutely MUST place some time limit on the URL request
	$userAgent = 'Mozilla/4.4 (compatible; MSIE 6.1; Windows NT 7.0;)';
	curl_setopt($ch, CURLOPT_USERAGENT, $userAgent);
	$contents = curl_exec($ch);//Execute the cURL session
	$info = curl_getinfo($ch);// here is the IMPORTANT info to see if success
// $info['http_code'] contains 200 if successful
//$info['content_type']  contains the type, as  html/text
	echo 'INFO http code: '.$info['http_code'].' -content_type: '.$info['content_type'].'<br />';
	if (curl_error($ch)) echo 'CURL ERROR: '.curl_error($ch).'<br />';//if error usually FAIL to get
	if ($info['content_type'] == 'image/gif') echo 'File is a GIF<br />';
	if ($info['content_type'] == 'image/jpeg')echo 'File is a JPG<br />';
	if ($info['content_type'] == 'image/png')echo 'File is a PNG<br />';
//only count as successful if content_type is one of three above

Open in new window


Author Closing Comment

ID: 31706159
Excellent! Thats what i was looking for. Thanks

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question