People who can use .php as an image extension

Question

People who can use .php as an image extension

In any case, anyone can use any extension since they put .png at the end of the link

http://rsps50.com/logout.php?.png is that someone uses atm, it makes everyone on my site log out if they visit the home page.

here was my attempt to stop him, but it didn’t work :(

if (empty($_POST['banner'])) {
  echo '<font color="red">Please add a banner for your server</font><br />';
  $b = FALSE;
} else if (strpos($b, '.php') !== false) {
  echo 'You can only use image extentions';
  $b = 'http://image.com/image.png';
} else {
  $b = strip_tags($_POST['banner']);
}

I should note that I do not allow uploading images, I use an input field and then an echo link

<input name="banner" value="<?php if (isset($_POST['banner'])) echo $_POST['banner']; ?>" class="form-control" accept="image/x-png, image/gif, image/jpeg" type="text" placeholder="http://example.com/example.png" required>

Any ideas? thank

+4

html php mysql

Toplistrs Jun 16 '15 at 2:45

source share

1 answer

Marcos dimitrio · Accepted Answer · 2015-06-16T03:03:08+0000

You use a variable $bbefore assigning a value to it.

So the fourth line should be:

} else if (strpos($_POST['banner'], '.php') !== false) {

If you want to look for other extensions besides .php, you can use Regex as follows:

} else if (preg_match("/\.(?:html|php|asp|js)/i", $_POST['banner'])) {

People who can use .php as an image extension

More articles: