Menu
I'm currently developing a game using PHP and MySql. I'd like to allow users to be able to show images using a BBCode parser (NBBC) but i've been made aware of a potential security problem.
Allow me to explain:
The user enters a URL into a textarea box using code such as [img]http://example.com/image1.png[/img]
The user can then edit image1.png on the external server into a server side script that stores the user information (ip ect) and so forth.
User uses information to do some potentially nasty stuff!
My question is, how do we prevent this from happening and protect the users details when detailing with external sources?
The obvious answer is to only allow uploads to your site, but in this case, that really doesn't seem too practical.
Appreciate any help!
495
asked Jan 27 '26 22:01
Actually you can by changing
[img]http://example.com/image1.png[/img]
into something like:
<img src="http://yourserver/proxy.blah?url=example.com/image1.png" />
So that your proxy would load the image instead of the user.
87
You can't because to your script it will look like a genuine image and there is no way of detecting anything different.
Any body can use .htaccess/ForceType to change the execution type of any file, grab user information and serve up an image in response.
I wrote a simple script for rotating images in a users forum signature many moons ago and it demonstrates this process: http://blog.simonholywell.com/post/374221718/flickering-images
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
