Contemplating a multi-tiered problem - mostly Apache(solved)

mrmortimer · New Member Joined: Jan 22, 2008 Posts: 13

I've written a script to create dynamic signature images for some friends on a gaming forum I've been known to frequent, and currently have the same script placed in several directories (one for each person). I can't help but think that a single instance of the script should be able to serve everyone, but I'm not entirely sure of how to implement this. To illustrate:

This is my personal sig image:

(if you refresh the page, you see that the image changes)

Code:

It's address is http://www.geekcavecreations.com/images/sa/MrMortimer/sig.jpeg

The current setup is (base address)/user/sig.jpeg

what I'm wanting to do is more along the lines of (base address)/user.jpeg
{BTW, I'm already using .htaccess to allow script execution with the .jpeg file extension}

I'm sure that I can use a custom error page to do this, or even mod_rewrite, but I'm sure exactly how to implement this. I think using rewrite would be better, and I'm allowed limited use of .htaccess files, but I'm not sure if my server allows mod_rewrite.

Please bear in mind that all of my skills with PHP/Apache are self-learned, so I have several severe gaps in my knowledge, and am more or less over my head here. However, I'm a fast learner. Very Happy

[edit] As a side note, the forum pages these are posted on don't allow non-image extensions or query strings within the image URL's. thus, the .jpeg extension [/edit]

evaders99 · Moderator Joined: Apr 30, 2004 Posts: 2853

This is what I use using mod_rewrite

I have a directory that is just images/

in .htaccess

Code:

RewriteEngine on
RewriteRule ^(.*).jpg sig.php?charname=$1

It rewrites all attempts to images/USER.jpg into the form
sig.php?charname=user

As an example

Only registered users can see links on this board!
Get registered or login to the forums!

Hope that helps what you are doing!

mrmortimer · New Member Joined: Jan 22, 2008 Posts: 13

I'll give it a try. Thank you greatly.

mrmortimer · New Member Joined: Jan 22, 2008 Posts: 13

Well, it took a while to get back to this, but that did the trick. Thanks again for the assist!
Very Happy

Here's what it looks like:

I've even added some error handling, just in case someone misspells the name.
example:

montego · Posted: Wed Jan 30, 2008 6:12 am

mrmortimer, just make sure you "cleanse" that $1 input very carefully before you use it. I haven't a clue how you've coded this, but just make sure no-one can perform a SQL injection, XSS, or file inclusion type exploit on it. Since that is coming in off a URL, which can also be encoded, ensure you can handle that. Bottom line is be careful.

mrmortimer · New Member Joined: Jan 22, 2008 Posts: 13

Thanks for the tip. I've run it through stripslashes, and the script uses no SQL of any type. Not really sure if there's anything else I need to do to it, since it only looks for the one variable, and that points to a directory elsewhere in the tree. If there's anything else I need to do to "cleanse" the input, I'd dearly love to learn. If needed, I can post the code. It's rather short.

[edit]
Another security measure I've implemented is to change the regex in the .htaccess file to the following:

RewriteRule ^([a-zA-Z]{3,15}).jpg sig.php?charname=$1

I figure that this will eliminate most, if not all, hacking attempts.
[/edit]

Gremmie · Posted: Wed Jan 30, 2008 6:01 pm

Hopefully you mean't addslashes(), but since you aren't doing any SQL stuff the chances are lower. Hopefully you aren't doing any evals or executing shell scripts on the server with the input. Smile

Looks good and sounds like you have taken adequate precautions!

mrmortimer · New Member Joined: Jan 22, 2008 Posts: 13

Gremmie wrote:

Hopefully you mean't addslashes(), but since you aren't doing any SQL stuff the chances are lower. Hopefully you aren't doing any evals or executing shell scripts on the server with the input. Smile

Looks good and sounds like you have taken adequate precautions!

Actually, that was a "senior" moment. Yup, I did. Silly me. And considering that the .htaccess file is my first line of defense here, only allowing alphabetics of between 3 and 15 characters in length, I don't think there's much they can do to the script. Very Happy

montego · Posted: Thu Jan 31, 2008 5:48 am

Yes, your edit above showing the rewrite rule makes me feel much, much better, as it keeps them from using "../" as well as any encoded values. Wink

Good job!

mrmortimer · New Member Joined: Jan 22, 2008 Posts: 13

One thing I didn't mention was that, if someone DOES try to hack it using any one of several known methods (SQL injection, file inclusion, etc.), it's picked up by my error handling page, and if it matches certain profiles, it runs through a "hacker alert" routine that tracks the user and emails their ISP with details of the attack. I SO hate malicious hackers!

montego · Posted: Fri Feb 01, 2008 4:39 am

hhhhmmmm.... sounds to me like you may need to become a contributor to NukeSentinel... I like the sounds of what you have done. Wink

mrmortimer · New Member Joined: Jan 22, 2008 Posts: 13

montego wrote:

hhhhmmmm.... sounds to me like you may need to become a contributor to NukeSentinel... I like the sounds of what you have done. Wink

I don't know about that. Very Happy

Considering the gaps in my knowledge of PHP, I've probably re-invented a rather oblong and out off round wheel with my error handling script. I'm reasonably sure that the only reason why many of my scripts work at all is because of all the chickens that so selflessly gave their all in all of those sacrifices. However, if I can help out at all, I'm more than happy to do so. So many people have helped me over the years that I feel it's my responsibility to give back wherever and whenever I can. I just need to learn where best I can assist. Lead me, oh great one. Smile