Brainstorming how to do this avatars

[cdoyle]

Hi,
In my game I've been thinking it would be nice to allow my players to have an avatar in their profile.
What I'm thinking is, just make it so they can link to an image on their own server.  Not actually upload the image to database.

What kind of precautions do I need to make?
I'm would think a verification to make sure it's a .jpg or .gif.

what else?
I can rescale the image size where it's used on the pages.

[Sraet]

Remember if they link their own, you could suddenly have porn (or ads, or whatever) on yer site cause someone thinks its funny.

[cdoyle]

Ya I thought of that, but they could upload a porn image just as easy.

Either way, I'll make it a rule to not do that and if they break it they are banned from the game.

[cdoyle]

Is checking that the image is a .jpg and .gif the only thing I need to check for?

[toxin]

there are other image types. 
jpg bmp gif pcx png psd tif  is what http://tinypic.com/ checks.
You could limit the images to be hosted on known image host like tinypic or other popular ones.

[lolninja]

Hey, I've not tried out this article to see how usable it is, but its worth a read, as it basically means hackers can do nasty nasty stuff to your users.

http://ez.no/developer/articles/dangers_of_csrf_and_xss/on_fake_images_can_anything_be_done

[Nox]

However you afaik can't work with every image type with PHP's GD líbrary, from what I found only IMG_GIF | IMG_JPG | IMG_PNG | IMG_WBMP | IMG_XPM are supported.

Do not rely on $_FILES, check with getimagesize or mime_content_type.

And beware GIFs more here: http://www.scanit.be/uploads/php-file-upload.pdf (I had problems opening it in browser acrobat plugin, but downloaded it works fine)

[codestryke]

Couple things to remember when dealing with off site image links:

You are dependent on the other server being online. If the server is down your page will suffer. Well not really but that's how the user is going to see it.

Resizing using html is just resizing the display it's still pulling the full image. So a very large graphic can and will take a long time to pull down and thus make your site seem slow.

Checking for off site file types is tricky just ask the programming guys over at phpBB

If you really want to do this I would highly recommend storing them on your server. The questions you are asking shows that you are not yet at the level or knowing all the traps you can encounter when dealing with off site image hosting.

[Slashmore]

Couple things to remember when dealing with off site image links:

If you really want to do this I would highly recommend storing them on your server. The questions you are asking shows that you are not yet at the level or knowing all the traps you can encounter when dealing with off site image hosting.

I have to agree with this, On my site you put a link to the image you want to disply, That link will show as a picture on your profile, I have had a few people post a php file as thier image so when players view thier profile it will redirect to thier site. I will be switching mine so you have to upload the image to my server then it will use the latest image uploaded.

[cdoyle]

darn, why didn't I get any notifications of responses.

I ended up using getimagesize to verify the image.
If it comes back null, it won't add the URL,  if it does then it adds it to the db.

I also asked this over at devnetwork, and they recommended this method of checking them.   

I guess I can add a upload feature later, just not sure about having tons of images on my own server.   Never know if people are uploading anything copyrighted etc.

[JGadrow]

True, but that's why you place a disclaimer about uploaded content. Basically, make it the user's responsibility to be certain what they are uploading is not protected by copyright.

[Tomoso]

I would think have a disclaimer like Makari said should do the trick. Just make sure it's in an obvious place when users place a URL, and also maybe even include it in the terms & conditions upon sign up saying that they abide by it. You can also add a link for other users to "flag" a profile picture which should make your life easier when checking to see if said image is allowed.

[Serend]

Uploading the images to your server would be the safer method. Unless you have a content/file checker whenever you call the image url - the method above could easily be abused. Majority of hosting providers these days provide much more hdd space then you will ever use so I wouldnt worry about the amount of files just yet.

Security concern:

I provide a image url to a small 50x50 image or whatever your requirements are, its approved and url is uploaded. Then I delete the file from my server and I upload a much larger image under the same name or a malicious image that will then be used.

You could post this question on 30 different forums and get 60 different answers. Each one will likely be better than the other. While I know that using getimagesize() is a much easier method; if your in it for the long run it will be better to take some additional time to work out a better solution. Because the more popular your game gets the more likely someone will find a security concern.

I would really recommend reading the following suggested by Nox; as it provides great examples and solutions to the problem.

more here: http://www.scanit.be/uploads/php-file-upload.pdf

Best of luck!

[Scion]

rather than open up to every single source of images that there is how about restricting it to specific trusted image serving sites.

Im thinking Flickr and its like here. Then you already have some cover against pornogrpahic images and the like....similarly with copyright infringed images....

You also get support for resizing the actual image so you dont force clients to download the full size image and use css to resize...

or there is Gravatar who specialise in providing avatar images...

seems like a reasonable approach to me.