file get contents is displaying image code rather than the actual image

Question

I am using file_get_contents to access a folder with images that has deny all htaccess with the following code:

      $idimages = 0; 
      while ($idimages < $edituser->idimages){ 
      //$edituser->verifyimg is stored like 123.png,image.png,another.jpg
      $imghref = explode(",",$edituser->verifyimg); 
      if (file_exists('userverify/'.$imghref[$idimages])) { 
      $imginfo = getimagesize('userverify/'.$imghref[$idimages]);
      header("Content-type: ".$imginfo['mime']); 
      echo file_get_contents('userverify/'.$imghref[$idimages]);
      //I was using this echo until I introduced the deny all htaccess and it no longer works
      //echo '<img src="'.URL." userverify/ ".$imghref[$idimages].'">&nbsp;'; 
      }
      $idimages++; 
      }

but when I view my page it shows lots of weird characters. I am confused as to what I have got wrong. userverify is the folder.

Answer 1

1. You cannot present more than one image at a time like that.
2. You should use readfile() rather than echo file_get_contents(), the file data is output directly, not read into memory and then output.
3. You should not embed image data into your page source.
   1. It bloats the page source, lengthening the page load time.
   2. Images are not downloaded in parallel, lengthening the page load time.
   3. Images are not cached, wasting network/IO bandwidth and lengthening subsequent page loads where a cached image may be used.

show_protected_image.php

<?php
$folder = '/path/to/denyall'

if( ! check_authorization() ) {
  header('HTTP/1.0 403 Forbidden');
  die('Access forbidden.');
}

$filepath = $folder.'/'.shell_escape($_GET['filename']);

if( ! file_exists($filepath) ) {
  header('HTTP/1.0 404 Not Found');
  die('File not found');
}

session_write_close();
/* only one session can be open at a given time, closing it here
   allows the other images to begin downloading without waiting
   for this one to finish. */
header("Content-type: ".$mimetype);
readfile($filepath);

show_images.php

<?php
foreach($imagelist as $image) {
  printf('<img src="show_protected_image.php?filename=%s">', $image);
}

Answer 2

put the header('Content-Type: image/jpeg'); outside the while loop.

you can only show 1 image this way.

if you want to display more than 1 image, you could use base64 inline or merge all images in one.

the merge is a bit complex. so i recommend you the base64 inline.

if (file_exists('userverify/' . $imghref[$idimages])) {

    $content = base64_encode(file_get_contents('userverify/'.$imghref[$idimages]));
    ?>
    <img src = "data:image/jpg;base64,<?=$content?>" />
    <?php
}

Answer 3

You aren't able to it this way. Usually an image-src is a request to the server to load the file. PHP with file_get_contents just grabs/reads the content of yout image file (binary)!! It's not possible to echo just the binary within that source in that way. will miss the header(s) and will not be able to guess what it has to display.

Things you can do:

(1) Follow the comment of Marc. => Wrap your code into yourscript.php and tell the src to request this file. Important is, jou need to send appropriate header (MIME)

(2) Use base64 within your image-src

<img src="data:image/png;base64,<?php echo base64_encode(file_get_contents(...)); ?>" />

Answer 4

the think you done wrong is that you're displaying images as plain text(well at least your server thinks so), and the characters are just images in plain text. putting header('Content-Type: image/jpeg'); ouside while loop should solve it

What's that? it simply sets your server to display image as image. not text.

Answer 5

This is why your webserver thinks you want to deliver text, so this weird characters is the source code of the image.

What you need is to set the right content-type, which can be achived though the header function.

If this will not work, check with cURL or your with your browser if the headers is really send.