[nycphp-talk] exif_thumbnail
Ken Robinson
kenrbnsn at rbnsn.com
Tue Oct 31 15:25:28 EST 2006
At 03:18 PM 10/31/2006, csnyder wrote:
>I'm not sure what exif_thumbnail() would do with a non-image, but to
>protect against $_GET['f'] == "../../../etc/passwd" you'd probably
>better make that:
I said it was a quick example with no error checking. I would put a
check to make sure it's really an image file, check for "../", check
for "http://", etc. Actually, in real life, I would just pass part
of the file or use some other non-obvious method to pass the file to
the thumbnail script.
Ken
More information about the talk
mailing list