PHP script in image discussion

[Chrono Archangel]

OK well i remember seeing Kane IIRC trying to do this once for a random avatar script that works with vBulletin (they dont allow php as avatars..)
Well this just got my attention. Most of you have probably seen this image many times



it runs a PHP script in the picture. Maybe it could be a way to have a random image script in the picture. I dont know if your following me here...
Aniway i made this thread so ideas can be givin on how this could be done (if it can be done) since the author of that image wont reveal his code (of course :P).

so if anyone has an idea then please share with others. im probably not the only one who is interested in this

[RamsusX]

Here's how: They use some of the information you send in your HTTP Get request header when your browser requests the image from their server (which is really a program that is set up to be executed when "http://www.danasoft.com/vipersig.jpg" is requested). It then generates a JPEG image, sends an HTTP header in reply saying they're sending Content-Type image/jpeg and sends over the generated JPEG image.

I don't have any HTTP references on hand, and I don't do any real server-side development regularly, so I can't post any code examples.

EDIT: Maybe I'll write something a bit later, eh?

[RamsusX]

Create a simple PHP script that gets the HTTP header information from the proper environment variables like this one: http://ramsus.guiltyparties.com/image.php.txt

It could also make use of other information obtainable not just through CGI environment variables provided by the server, but also by piping the output of a program.

Create an image like this one: http://ramsus.guiltyparties.com/test.png

Then add a .htaccess file to a subdirectory with the contents:

Action image/png /image.php

I added mine to http://ramsus.guiltyparties.com/image/ so now any request to a .png file from that location will return the output of http://ramsus.guiltyparties.com/image.php (keep in mind that even if there is a .png file already there, it will still return the output of image.php instead, which is why I put it into a subdirectory).

See here: http://ramsus.guiltyparties.com/image/whatever.png

[scottlc]

It is impossible to make a random avatar on emuforums since it makes it's own local copy of your avatar.

[Chrono Archangel]

Quote:

Originally Posted by scott_uk5

It is impossible to make a random avatar on emuforums since it makes it's own local copy of your avatar.

even if its offlinked?

oh and RamsusX. thx for all that info ill look more into it since im no hardcore php coder :P but its eems wuite simple how you explain it thx

[Keith]

yeah vB makes a local copy of the avatars when offlinked so .. it won't work. I have a script that works great and could be used with the .jpg or .gif extension rather then .php .. which helps get around some restriction some boards have for dynamic signatures. It does work on the avatar as well, but only forums that do not mirror a copy localy.

[Chrono Archangel]

Quote:

Originally Posted by Keith

yeah vB makes a local copy of the avatars when offlinked so .. it won't work. I have a script that works great and could be used with the .jpg or .gif extension rather then .php .. which helps get around some restriction some boards have for dynamic signatures. It does work on the avatar as well, but only forums that do not mirror a copy localy.

ohh ok. is there a feature in the admin panel that can remove that? i mean it should have such an option. no?

[Keith]

no clue, I could look on EmuTalk.net .. I am an admin there so I could check to see if an option exists.

[Chrono Archangel]

Quote:

Originally Posted by Keith

no clue, I could look on EmuTalk.net .. I am an admin there so I could check to see if an option exists.

ok. but isnt PHPscript like that in an image dangerous for the other forums? i mean anyone could launch a script int heir an possibily do dammage?

[RamsusX]

Quote:

Originally Posted by Chrono Archange

ok. but isnt PHPscript like that in an image dangerous for the other forums? i mean anyone could launch a script int heir an possibily do dammage?

No, it's perfectly secure.

[Chrono Archangel]

but i mean like if you take Invision board for exemple. couldnt you right a script to get the config file and upload it to where ever you want?

[RamsusX]

Quote:

Originally Posted by Chrono Archange

but i mean like if you take Invision board for exemple. couldnt you right a script to get the config file and upload it to where ever you want?

The PHP script isn't IN the image. A PHP script creates the image and sends it. This means that the image that has been created is just an image. It can't do anything an image can't do.

The server with the Message Board doesn't even touch the image unless it's stored locally on the server. It simply sends HTML with an IMG tag with the URL to the image. Your browser is what downloads the image. The image data is never touched by the server with the message board.

[Chrono Archangel]

Quote:

Originally Posted by RamsusX

The PHP script isn't IN the image. A PHP script creates the image and sends it. This means that the image that has been created is just an image. It can't do anything an image can't do.

The server with the Message Board doesn't even touch the image unless it's stored locally on the server. It simply sends HTML with an IMG tag with the URL to the image. Your browser is what downloads the image. The image data is never touched by the server with the message board.

ohhh ok. now i get it. so each time the script is read it makes a new pictures depending on what is changed. see i thought the script was in the image....its all clear now

[Bobbi]

Well, let's jump straight into this thread The way vBulletin caches stuff *is* for security reasons ... this isn't directly related to the PHP code being any dangerous (which it isn't, as it gets executed on another server) but the possibility to get the session ID of an user through this. However it needs to be added, that vB3 has a pretty complex but good way to work around this - however, as it's still in beta testing stages, this is de-activated for now. Look forward to host dynamic signatures @ NGEmu starting with vB3 RC1.

[Galway no Sora]

Good news from you, Bobby. At least we don't need to create that difficult script for dynamic sign .

[scottlc]

Let me just elaborate on what Bobbi has said. If users disable the use of cookies then vBulletin stores the user id in the URL. So a script could analise the HTTP_REFERER and then learn your session ID.

[nitr021]

hey ive got a script its working but not exactly as danasoft
i just wana know wot script rasmusx used to do it.

here is my working one if anyone want to know how i did please post or else i wouldn't be asked to.
change the x's in http://icefuzion.com/mm/xxxx.jpg into what ever you want.
here is an example.

[Ramsus K]

Don't bring up dead threads, especially with off-topic posts.

Also, I just went and wrote my own PHP script, but that post is a few years old so it isn't around anymore. It takes only a few minutes to write one and photoshop some images.

[RF]

Yes, please dont revive old threads.

-Closed