5

Ok people, despite the best-known-practices, today I decided to do this:

<img src='<? include("dir/dir/img.png"); ?>'>

With 6 diferent .png images.

Sadly, only 2 of the 6 were nicely visible on the browser.

Why only 2 of the 6 images were shown? Maybe there were data losses bits on the way?

Thank you for your time :]

Improve this question
1
  • 3
    What are you trying to do? Why not just print the file path? Commented Aug 11, 2010 at 23:22

4 Answers 4

Reset to default
17

It does not work because src attribute of an <img> tag is not supposed to contain the raw data of an image; rather, it is supposed to contain a URI that points to the image data.

By using data: URIs, you can embed the image directly in your (X)HTML document. Note that this will not work in many browsers such as older versions of Internet Explorer. As well, there are limits, such as the 32KB limit IE8 places on data: URIs.

Using PHP, here's what your code would look like:

<img src='data:image/png;base64,<?php echo base64_encode(file_get_contents("dir/dir/img.png")); ?>'>

Don't forget to change the image/png part of the URL if the type of image that you are using changes. For example, if you use a GIF image, change it to image/gif.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

The weird fact is that it worked 2 times XD!!! but, alright, you just gave the right way. Thank you :]
5

That was not supposed to work at all.

For a standard way to do that (including images inline in the HTML document instead of pointing to their URL), see the data URI scheme.

Improve this answer

2 Comments

Darn, ran out of votes for today. I think you should mention using file_get_contents to read a file instead of calling include. (included data is a security risk!)
You're right. If he controls the images, it's not necessarily a security risk, but the image may contain, by chance, the characters <?. Not to mention, it will output immediately, so he cannot manipulate the data to build the data URI.
4

include() tells PHP to parse that file. If, by any chance, it contains <?, you’ll be in real trouble. Instead, use readfile().

Additionally, Artefacto’s answer has to be considered as well.

Improve this answer

3 Comments

Yes, xD I was thinking about it in my way home.
Indeed, and there is a HUGE vulnerability here. Open the image in Gimp, add PHP CODE in the COMMENTS section and try the include again. IT WILL EXECUTE PHP CODE FROM AN IMAGE FILE! -- very dangerous stuff using include for any file not expected to have PHP code. If you included a user-uploaded image, or even one you found (instead of created), you might be placing a back door on your server!
Yeah, that's what I meant. Actually, I successfully exploited a CMS using this technique once. :)
1 
< img src='< ?php echo 'data:image/png;base64,' . base64_encode(file_get_contents('dir/dir/img.png')) ; ?> ' >
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.