Failed @getimagesize() print to error_log? [message #173066] |
Sun, 20 March 2011 01:58 |
jwcarlton
Messages: 76 Registered: December 2010
Karma: 0
|
Member |
|
|
I have the following in a script:
if (($image) && (@getimagesize("/home/myaccount/www/thumbs/$image")))
$height = "75";
else {
$image = "noimage.gif";
$height = "75";
}
And I have a gazillion of these in my error log:
File does not exist: /home/myaccount/public_html/thumbs/
some_image_name.jpg
This is the only script that refers to the "thumbs" directory (as far
as I know), so I'm pretty sure that this is the culprit.
Unfortunately, the error_log isn't giving a referer, so I'm not 100%
sure that the references aren't coming from something like Google
Images.
Would a failed @getimagesize() write to the error_log? If so, would it
be better to use is_readable()?
if (($image) && (is_readable("/home/myaccount/www/thumbs/$image")))
|
|
|
Re: Failed @getimagesize() print to error_log? [message #173067 is a reply to message #173066] |
Sun, 20 March 2011 02:44 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 3/19/2011 9:58 PM, jwcarlton wrote:
> I have the following in a script:
>
> if (($image)&& (@getimagesize("/home/myaccount/www/thumbs/$image")))
> $height = "75";
>
> else {
> $image = "noimage.gif";
> $height = "75";
> }
>
>
> And I have a gazillion of these in my error log:
>
> File does not exist: /home/myaccount/public_html/thumbs/
> some_image_name.jpg
>
>
> This is the only script that refers to the "thumbs" directory (as far
> as I know), so I'm pretty sure that this is the culprit.
> Unfortunately, the error_log isn't giving a referer, so I'm not 100%
> sure that the references aren't coming from something like Google
> Images.
>
> Would a failed @getimagesize() write to the error_log? If so, would it
> be better to use is_readable()?
>
> if (($image)&& (is_readable("/home/myaccount/www/thumbs/$image")))
First of all, why are you using '@' to potentially hide errors? You
should not be using this; you need error messages displayed on your
development system. Rather, disable the displaying of error messages in
the php.ini of your production system.
And yes, a failed getimagesize() obviously writes to the error log. And
you won't get a referrer; getimagesize() is completely independent of
any web server.
is_readable() will help you determine if it's a file and is readable,
but it won't tell you whether it is a valid image file or not. But if
the only files in this directory are image files, you should be ok.
So the question is - does the file exist? Is it an image file? You can
check to see if the file exists with file_exists(), but you can't easily
tell if it is an image file or not.
If you really need to find out who the referrer is (does it make a
difference?), check the time of the error message and see what's
happening at that time in your web server access log. It should tell
you more about the request.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Failed @getimagesize() print to error_log? [message #173068 is a reply to message #173067] |
Sun, 20 March 2011 09:31 |
jwcarlton
Messages: 76 Registered: December 2010
Karma: 0
|
Member |
|
|
> First of all, why are you using '@' to potentially hide errors? You
> should not be using this; you need error messages displayed on your
> development system. Rather, disable the displaying of error messages in
> the php.ini of your production system.
Excellent point. I had actually disabled errors in php.ini recently,
anyway, so this was just a leftover from before.
> And yes, a failed getimagesize() obviously writes to the error log. And
> you won't get a referrer; getimagesize() is completely independent of
> any web server.
>
> is_readable() will help you determine if it's a file and is readable,
> but it won't tell you whether it is a valid image file or not. But if
> the only files in this directory are image files, you should be ok.
>
> So the question is - does the file exist? Is it an image file? You can
> check to see if the file exists with file_exists(), but you can't easily
> tell if it is an image file or not.
>
> If you really need to find out who the referrer is (does it make a
> difference?), check the time of the error message and see what's
> happening at that time in your web server access log. It should tell
> you more about the request.
I don't really care about the referrer, other than trying to find if I
have a problem on a specific page. I've changed getimagesize() to
is_readable() (you're correct, the only thing in this directory are
images that have been uploaded and tested through my own script, so
that should be fine), but I'm still getting errors in the error_log.
Does a false is_readable() also write to the error_log? Or am I more
likely dealing with these deleted images being found on something like
Google Images?
|
|
|
Re: Failed @getimagesize() print to error_log? [message #173069 is a reply to message #173068] |
Sun, 20 March 2011 12:34 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 3/20/2011 5:31 AM, jwcarlton wrote:
>> First of all, why are you using '@' to potentially hide errors? You
>> should not be using this; you need error messages displayed on your
>> development system. Rather, disable the displaying of error messages in
>> the php.ini of your production system.
>
> Excellent point. I had actually disabled errors in php.ini recently,
> anyway, so this was just a leftover from before.
>
>
>> And yes, a failed getimagesize() obviously writes to the error log. And
>> you won't get a referrer; getimagesize() is completely independent of
>> any web server.
>>
>> is_readable() will help you determine if it's a file and is readable,
>> but it won't tell you whether it is a valid image file or not. But if
>> the only files in this directory are image files, you should be ok.
>>
>> So the question is - does the file exist? Is it an image file? You can
>> check to see if the file exists with file_exists(), but you can't easily
>> tell if it is an image file or not.
>>
>> If you really need to find out who the referrer is (does it make a
>> difference?), check the time of the error message and see what's
>> happening at that time in your web server access log. It should tell
>> you more about the request.
>
> I don't really care about the referrer, other than trying to find if I
> have a problem on a specific page. I've changed getimagesize() to
> is_readable() (you're correct, the only thing in this directory are
> images that have been uploaded and tested through my own script, so
> that should be fine), but I'm still getting errors in the error_log.
>
> Does a false is_readable() also write to the error_log? Or am I more
> likely dealing with these deleted images being found on something like
> Google Images?
No, IIRC, is_readable() shouldn't write to the error log - but if it
did, you would see a different message in the error log. But no matter
the source, if you're checking to see if the file is readable before
calling getimagesize(), you shouldn't be seeing an error for a
non-existent file.
What is your current error message?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Failed @getimagesize() print to error_log? [message #173076 is a reply to message #173066] |
Sun, 20 March 2011 17:24 |
Denis McMahon
Messages: 634 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Sat, 19 Mar 2011 18:58:24 -0700, jwcarlton wrote:
> I have the following in a script:
>
> if (($image) && (@getimagesize("/home/myaccount/www/thumbs/$image")))
> $height = "75";
>
> else {
> $image = "noimage.gif";
> $height = "75";
> }
> And I have a gazillion of these in my error log:
Tell me, are you taking user input in some form and expecting it to match
the name of a thumbnail file on the server?
If so, what controls are you placing on that user input to ensure that a
valid file name is requested?
Note that the *only* validation that you can rely on is validation
carried out by the server after the request is received from the viewers
browser.
Maybe:
<?php
if (is_set($image) && $image) {
$imgFileName = "/home/myaccount/www/thumbs/$image";
if (file_exists($imgFileName)) {
if (getimagesize($imgFileName)) {
// nothing to do here
else {
$image = "noimage.gif"; // file exists but not an image
}
} else {
$image = "noimage.gif"; // file doesn't exist
}
} else {
$image = "noimage.gif"; // $image was not defined or was false
}
$height = "75"; // always do this
?>
would better meet your needs?
However, from the manual:
"If accessing the filename image is impossible, or if it isn't a valid
picture, getimagesize() will generate an error of level E_WARNING. On
read error, getimagesize() will generate an error of level E_NOTICE."
So using getimagesize to determine if it really is an image will always
generate a warning message if it's not an image file. This means that the
above code will only prevent any "file doesn't exist" related warnings,
and not "file isn't an image" related warnings.
Rgds
Denis McMahon
|
|
|
Re: Failed @getimagesize() print to error_log? [message #173088 is a reply to message #173069] |
Sun, 20 March 2011 22:24 |
jwcarlton
Messages: 76 Registered: December 2010
Karma: 0
|
Member |
|
|
> No, IIRC, is_readable() shouldn't write to the error log - but if it
> did, you would see a different message in the error log. But no matter
> the source, if you're checking to see if the file is readable before
> calling getimagesize(), you shouldn't be seeing an error for a
> non-existent file.
>
> What is your current error message?
I'm still getting the same error message as before; just a plain old
"File does not exist" message. That makes me suspect that the referrer
is coming from somewhere else; possibly off-site.
|
|
|
Re: Failed @getimagesize() print to error_log? [message #173089 is a reply to message #173076] |
Sun, 20 March 2011 22:28 |
jwcarlton
Messages: 76 Registered: December 2010
Karma: 0
|
Member |
|
|
> Tell me, are you taking user input in some form and expecting it to match
> the name of a thumbnail file on the server?
>
> If so, what controls are you placing on that user input to ensure that a
> valid file name is requested?
Not exactly. This section hosts local classifieds, so the user is
uploading it via a Perl script, which verifies that it's a legitimate
image, and renames the image to the ID of the listing (so it's always
a number). Then, the image name is added to a database, which is then
read when a site visitor views the ad.
> Note that the *only* validation that you can rely on is validation
> carried out by the server after the request is received from the viewers
> browser.
>
> Maybe:
>
> <?php
> if (is_set($image) && $image) {
> $imgFileName = "/home/myaccount/www/thumbs/$image";
> if (file_exists($imgFileName)) {
> if (getimagesize($imgFileName)) {
> // nothing to do here
> else {
> $image = "noimage.gif"; // file exists but not an image
> }
> } else {
> $image = "noimage.gif"; // file doesn't exist
> }} else {
>
> $image = "noimage.gif"; // $image was not defined or was false}
>
> $height = "75"; // always do this
> ?>
>
> would better meet your needs?
That's a lot more checks than I'm using, so I'll plug that logic in
and see if I keep getting an error. If I am, then that should confirm
that they're not coming from this script.
Thanks,
Jason
|
|
|
Re: Failed @getimagesize() print to error_log? [message #173092 is a reply to message #173088] |
Sun, 20 March 2011 23:56 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 3/20/2011 6:24 PM, jwcarlton wrote:
>> No, IIRC, is_readable() shouldn't write to the error log - but if it
>> did, you would see a different message in the error log. But no matter
>> the source, if you're checking to see if the file is readable before
>> calling getimagesize(), you shouldn't be seeing an error for a
>> non-existent file.
>>
>> What is your current error message?
>
> I'm still getting the same error message as before; just a plain old
> "File does not exist" message. That makes me suspect that the referrer
> is coming from somewhere else; possibly off-site.
If it's in your php error log, check your php code again. You have a
problem.
404 Not Found in your web server log is not unusual.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Failed @getimagesize() print to error_log? [message #173239 is a reply to message #173089] |
Tue, 29 March 2011 07:11 |
Gordon Burditt
Messages: 2 Registered: March 2011
Karma: 0
|
Junior Member |
|
|
>> Tell me, are you taking user input in some form and expecting it to match
>> the name of a thumbnail file on the server?
>>
>> If so, what controls are you placing on that user input to ensure that a
>> valid file name is requested?
>
> Not exactly. This section hosts local classifieds, so the user is
> uploading it via a Perl script, which verifies that it's a legitimate
> image, and renames the image to the ID of the listing (so it's always
> a number). Then, the image name is added to a database, which is then
> read when a site visitor views the ad.
In order to verify that something is a valid image, you need, at a
minimum, an antivirus program. There are a number of ways to
generate a malicious image intended to cause buffer overflows or
other nasty things in browsers. Whether or not it causes trouble
for PHP, you don't want to serve such images.
You may also need the MPAA image-rating program (if such a thing
exists) to ensure that you are not accepting pornographic images
for your classifieds. Unless, of course, it's for pornographic
classifieds.
|
|
|