Home/ Questions/Q 6328217
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T17:25:11+00:00

Imagine the following: <img src=/image.php?image=5.jpg /> Now, in image.php : header(‘content-type: image/jpeg’); $image =

  • 0

Imagine the following:

<img src="/image.php?image=5.jpg" />

Now, in image.php:

header('content-type: image/jpeg');
$image = imagecreatefromjpeg($_GET['image']);
imagejpeg($image,NULL,100);

This works, but this way the script loads the image, processes it, then echoes it. Can this be done without processing the image?

The reason why I want to do it this way is that I don’t want people to know where the images are located, therefore I don’t want to write the full path into the img src attribute.

I just need to send raw images to the browser, but without revealing their true location.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, you can. Just readfile instead of imagecreatefromXXX+imagejpeg.

    header('Content-Type: image/jpeg');
$src = /* process $_GET['image'] to recover the path */;
readfile($src);

    The /* process $_GET['images'] to recover the path */ part implies any sanitizing you need to do on the input to avoid that someone requests a forbidden file. If your script input is a file path, this may mean checking from a predefined list, stripping of possible directory separators, checking against a regex, etc. Another way would be to store paths inside a database and pass the script a simple id, and recover the file path with it. This might be a better idea, as users will see no mention of any file path on the script URL (if you just pass a path, people can actually guess where files are, and that’s what you’re trying to prevent).

    • 0