Apache / PHP settings for accessing URLs

[CygnusX]

I have a bit of BB code for displaying images that references an external image link.  The url for this file looks like:

http://localhost/LOM/make_wallimage.php?url=http://i162.photobucket.com/albums/t254/Feesum/coffee-art.jpg

make_wallimage.php looks to see if the url in question is an image, and if so, resizes and displays it.  This works just fine on my home wamp server.  However, when I upload to my live server, I get:

Forbidden

You don't have permission to access /make_wallimage.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.lordsofmidnight.com Port 80

If I delete the http:// portion of ?url, it works just fine.  So, I'm guessing either apache or PHP doesn't like external URLs in the GET variables.  I 'may' have the option to change this, but I'm not even sure which setting it is.

Any clues? 

[CygnusX]

Problem solved.

I was working on this too late last night, and must not have been thinking clearly.  The http:// in the url was causing confusion.  I simply removed this, and added it back in on the script side.

[ST-Mike]

Admins have ignored my deletion request - if you're not going to delete my account then don't have the option there please.

[CygnusX]

Urlencode is a great solution to the problem.  But I'm having difficulties integrating it into preg_match().  Code is:

Code: [Select]

    $simple_search = array(

                '/\[img\](.*?)\[\/img\]/is',                           

                );

    $simple_replace = array(

                '<center><a href="http://$1" target="_blank"><img src="make_wallimage.php?url='.urlencode($1).'"></a></center>',

                );
               

    // Do simple BBCode's
    $str = preg_replace ($simple_search, $simple_replace, $str);

If I have a URL that doesn't break the encode rules, and remove .urlencode($1) (and replace with only $1), it works fine.  But, as is above, I think it should work.... but it keeps throwing the error:

unexpected T_LNUMBER, expecting T_VARIABLE or '$'

Any ideas?

[Winawer]

$1 is an invalid variable name.

[CygnusX]

$1, $2... $n are made specifically for preg_match().  Items found inside (  ) on the search will be assigned to $n (ie, there could be multiple sets of ( ) matches in the search, and they get assigned to $1, $2... etc in sequence).

the PHP.net example #4 code for preg_match uses the following:

preg_replace("/(<\/?)(\w+)([^>]*>)/e",
             "'\\1'.strtoupper('\\2').'\\3'",
             $html_body);

They also state that \\2 can be replaced with $2, and that the latter is preferred....

Perhaps I need to try \\1.... brb

Edit:  Still no success : (

[Winawer]

Try urlencode('$1')

[CygnusX]

I did.  It encodes the string $1, not the variable value. : \

[codestryke]

Because you are trying to call a function you cannot put this into string/array and then loop that though preg_replace. For this to work properly and have your function executed you have to call it via preg_replace ie:

Code: [Select]

pre_replace('/\[img\](.*?)\[\/img\]/is', "'<center><a href="http://\\1" target="_blank"><img src="make_wallimage.php?url='.urlencode('\\1').'"></a></center>'", $text);
This way urlencode() is seen as a function and executed and not a string.

You should only get this working for knowledge sake though and should never be put online as it is very insecure. You don't check for extensions, nor a call to check if it really is an image, so I could pass to it anything and anyone who clicked on it would receive whatever I put there including an executable.

[CygnusX]

Makes perfect sense... but I'm still having problems.  I used your code (with a few corrections):

 $str = preg_replace('/\[img\]http://(.*?)\[\/img\]/is', "'<center><a href=\"http://\\1\" target=\"_blank\"><img src=\"make_wallimage.php?url='.urlencode('\\1').'\"></a></center>'", $str);

Note, I escaped double quotes with \.  Without this, it was throwing a syntax error.

and the output is (ie, echo string when

Code: [Select]

[img]i162.photobucket.com/albums/t254/Feesum/coffee-art.jpg[/img] is provided:

'<center><a href="http://i162.photobucket.com/albums/t254/Feesum/coffee-art.jpg" target="_blank"><img src="make_wallimage.php?url='.urlencode('i162.photobucket.com/albums/t254/Feesum/coffee-art.jpg').'"></a></center>'

Urlencode, for some reason, is being treated as a string and not a function call...  



Also, fyi, for security, the page make_wallimage.php will check the incoming $_GET variable.  The test is:

if(!@GetImageSize($_GET['url']))
{ exit; }

Thus, if the link in question is not a valid image, it should fail to execute anymore code.  I believe this is secure, but I welcome criticism.  I am also doing other checks before displaying user submissions (ie, encoding with htmlentities) to eliminate <script, and other malicious html code, etc.  These should not be in the url anyways.

[codestryke]

The code was only to be an example not intended for use nor tested. You are still getting an error because the quote structure is incorrect.

[CygnusX]

Problem solved.

Two things I learned:

1)  preg_replace can call a function as part of the replacement, but the matching string needs to have an 'e modifier' or /e attached to the end.

So, my search had to be '/\[img\](.*?)\[\/img\]/e',


2) You can load a function into an array as long as you use the right type of quotes (this differs from codestrikers statement).  I have been familiar for a while now that PHP uses both single quotes and double quotes for defining strings.  What I did not realize is that single quotes makes the string a literal object, whereas double quotes can still parse variables, functions, etc

ex.

$var = 'word';
echo 'this is my $var' outputs: this is my $var
echo "this is my $var" outputs: this is my word

pretty cool.

So, defining the string in the replacement statement had to be done in double quotes, with \ escapes before special characters.