is it safe?

to allow a user to specify an image url?

Page 1 of 1

4 Replies - 1298 Views - Last Post: 09 April 2006 - 08:57 PM Rate Topic: -----

#1 theRemix  Icon User is offline

  • D.I.C Regular

Reputation: 15
  • View blog
  • Posts: 440
  • Joined: 19-October 05

is it safe?

Posted 07 April 2006 - 04:10 PM

is it safe to let a user set an image url for an image on a page?

for example:
-they input a url in a form, that url is stored in a mysql database.
`imageurl` varchar(100)
-i pull the image(s) from the database

<? while...{ ?>
<img src="<?=$row['imageurl']; ?>" />
<? } ?>
Is This A Good Question/Topic? 0
  • +

Replies To: is it safe?

#2 sontek  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 8
  • View blog
  • Posts: 283
  • Joined: 13-September 01

Re: is it safe?

Posted 07 April 2006 - 06:49 PM

That would work but you might run into dead image links, But its better than storing it yourself (unless they are linking to sites which they do not own.. which you'll get in trouble for because you'll be stealing their bandwidth)

This post has been edited by sontek: 07 April 2006 - 06:50 PM

Was This Post Helpful? 0
  • +
  • -

#3 theRemix  Icon User is offline

  • D.I.C Regular

Reputation: 15
  • View blog
  • Posts: 440
  • Joined: 19-October 05

Re: is it safe?

Posted 07 April 2006 - 08:24 PM

hmmm... good point.

i am giving users the ability to upload an image, it uploads a blob to the mysql database and is pulled by using
<? while...{ ?>
<img src="image.php?id=<?=$row['imageID']; ?>" />
<? } ?>


how do you feel about checking the url? first by validating the string using preg_match (got any regex for url image btw? :P )
then checking if the image is there by fopen, fgets/fread and checking the header to see if it is image/gif || image/jpeg || image/png ?
then if it's there, use it, else use noimage.gif ?

and how much trouble can i get into if someone uses an image that they do not own ?

should i or do i have to tell them that they must own the image, and if not, then they are liable, and not me ?

oh! should i just fopen/fread the remote file and keep it in my database as a blob and then i wont be stealing their bandwidth (but they may be stealing the image) ?
Was This Post Helpful? 0
  • +
  • -

#4 wzeller  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 3
  • View blog
  • Posts: 78
  • Joined: 09-April 06

Re: is it safe?

Posted 09 April 2006 - 11:19 AM

Quote

(got any regex for url image btw? tongue.gif )


How about something like this:>

<script language="javascript">
var imgRe = /^.+\.(jpg|jpeg|gif|png)$/i;
function validateImage(pathField)
{       
    var path = pathField.value;
    if (path.search(imgRe) == -1)
    {   
        alert("JPG, PNG, and GIFs only!");
    }       
}
</script>



You'd probably still want to programmatically check the headers in the uploaded file to be sure that A) it's really there, and B) it's really an image. But as for the client side validation, that should help.

Quote

how much trouble can i get into if someone uses an image that they do not own ?


Well, if getting in trouble is your main concern, then not much. Basically, a copyright holder would send you a "cease and desist" letter requesting that you remove the content. As long as you then do so, then there's no trouble. (If you fail to remove it at that point, then you can get into quite a lot of trouble - in the form of a monetary lawsuit.)

However, the world is a nicer place when people take proactive steps to not just avoid getting in trouble but to avoid committing offenses in the first place. There's not a lot you can do to programatically enforce copyright compliance, but you you can put text next to the image URL field explaining in no uncertain terms that use of copyrighted images may result in the immediate suspension of a user's account if the infringement comes to the attention of the site owner. Then, when you get that cease and desist letter, you remove the content and suspend the user for five days (or whatever).

w

This post has been edited by wzeller: 09 April 2006 - 01:45 PM

Was This Post Helpful? 0
  • +
  • -

#5 theRemix  Icon User is offline

  • D.I.C Regular

Reputation: 15
  • View blog
  • Posts: 440
  • Joined: 19-October 05

Re: is it safe?

Posted 09 April 2006 - 08:57 PM

cool thanks man, i changed it a bit to this:

function validateImage(pathField){
	var imgRe = /^.+\.(jpg|jpeg|gif|png)$/i;
	if (document.getElementById) { // DOM3 = IE5, NS6
  var path = document.getElementById(pathField).value;
  if (path.search(imgRe) == -1){  
 	 alert("JPG, PNG, and GIFs only!");
 	 document.getElementById(pathField).value = "";
  }      
	}else{
  if (document.layers) { // Netscape 4
 	 var path = document.id(pathField).value;
 	 document.id(pathField).value = "";
  }else{ // IE 4
 	 var path = document.pathField.value;
 	 document.pathField.value = "";
  }
	}
}


and in the input text field < id="editImageUrlInput" onchange="validateImage('editImageUrlInput')">

thanks again.

now to add server side checks.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1