Jump to content


Photo

action.php HTTP 400 Bad Request - What 'am I missing?


  • Please log in to reply
2 replies to this topic

#1 Scotty13

Scotty13

    Member

  • Member
  • PipPipPip
  • 62 posts

Posted 23 February 2012 - 01:45 PM

Building a photo album / upload image page in my website.
I have a page that’s giving me trouble… action.php

Error when I test in browser: HTTP 400 Bad Request / webpage cannot be found (highlighted below)

<?php

define('PHPWG_ROOT_PATH','./');
include_once(PHPWG_ROOT_PATH.'include/common.inc.php');

// Check Access and exit when user status is not ok
check_status(ACCESS_GUEST);

function guess_mime_type($ext)
{
switch ( strtolower($ext) )
{
case "jpe": case "jpeg":
case "jpg": $ctype="image/jpeg"; break;
case "png": $ctype="image/png"; break;
case "gif": $ctype="image/gif"; break;
case "tiff":
case "tif": $ctype="image/tiff"; break;
case "txt": $ctype="text/plain"; break;
case "html":
case "htm": $ctype="text/html"; break;
case "xml": $ctype="text/xml"; break;
case "pdf": $ctype="application/pdf"; break;
case "zip": $ctype="application/zip"; break;
case "ogg": $ctype="application/ogg"; break;
default: $ctype="application/octet-stream";
}
return $ctype;
}

function do_error( $code, $str )
{
set_status_header( $code );
echo $str ;
exit();
}


if (!isset($_GET['id'])
or !is_numeric($_GET['id'])
or !isset($_GET['part'])
or !in_array($_GET['part'], array('t','e','i','h') ) )
{
do_error(400, 'Invalid request - id/part');}

$query = '
SELECT * FROM '. IMAGES_TABLE.'
WHERE id='.$_GET['id'].'
;';

$result = pwg_query($query);
$element_info = pwg_db_fetch_assoc($result);
if ( empty($element_info) )
{
do_error(404, 'Requested id not found');
}

// $filter['visible_categories'] and $filter['visible_images']
// are not used because it's not necessary (filter <> restriction)
$query='
SELECT id
FROM '.CATEGORIES_TABLE.'
INNER JOIN '.IMAGE_CATEGORY_TABLE.' ON category_id = id
WHERE image_id = '.$_GET['id'].'
'.get_sql_condition_FandF(
array(
'forbidden_categories' => 'category_id',
'forbidden_images' => 'image_id',
),
' AND'
).'
LIMIT 1
;';
if ( pwg_db_num_rows(pwg_query($query))<1 )
{
do_error(401, 'Access denied');
}

include_once(PHPWG_ROOT_PATH.'include/functions_picture.inc.php');
$file='';
switch ($_GET['part'])
{
case 't':
$file = get_thumbnail_path($element_info);
break;
case 'e':
$file = get_element_path($element_info);
break;
case 'i':
$file = get_image_path($element_info);
break;
case 'h':
if ( $user['enabled_high']!='true' )
{
do_error(401, 'Access denied h');
}
$file = get_high_path($element_info);
break;
}

if ( empty($file) )
{
do_error(404, 'Requested file not found');
}

if ($_GET['part'] == 'h') {
pwg_log($_GET['id'], 'high');
}
else if ($_GET['part'] == 'e')
{
pwg_log($_GET['id'], 'other');
}

$http_headers = array();

$ctype = null;
if (!url_is_remote($file))
{
if ( !@is_readable($file) )
{
do_error(404, "Requested file not found - $file");
}
$http_headers[] = 'Content-Length: '.@filesize($file);
if ( function_exists('mime_content_type') )
{
$ctype = mime_content_type($file);
}

$gmt_mtime = gmdate('D, d M Y H:i:s', filemtime($file)).' GMT';
$http_headers[] = 'Last-Modified: '.$gmt_mtime;

// following lines would indicate how the client should handle the cache
/* $max_age=300;
$http_headers[] = 'Expires: '.gmdate('D, d M Y H:i:s', time()+$max_age).' GMT';
// HTTP/1.1 only
$http_headers[] = 'Cache-Control: private, must-revalidate, max-age='.$max_age;*/

if ( isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) )
{
set_status_header(304);
foreach ($http_headers as $header)
{
header( $header );
}
exit();
}
}

if (!isset($ctype))
{ // give it a guess
$ctype = guess_mime_type( get_extension($file) );
}

$http_headers[] = 'Content-Type: '.$ctype;

if (!isset($_GET['view']))
{
$http_headers[] = 'Content-Disposition: attachment; filename="'.$element_info['file'].'";';
$http_headers[] = 'Content-Transfer-Encoding: binary';
}
else
{
$http_headers[] = 'Content-Disposition: inline; filename="'
.basename($file).'";';
}

foreach ($http_headers as $header)
{
header( $header );
}

// Looking at the safe_mode configuration for execution time
if (ini_get('safe_mode') == 0)
{
@set_time_limit(0);
}

@readfile($file);

?>
  • 0

#2 Wickham

Wickham

    Advanced Member

  • Advanced Member
  • PipPipPipPip
  • 1,732 posts
  • LocationSalisbury UK

Posted 23 February 2012 - 02:25 PM

include/common.inc.php...webpage cannot be found. Should it have two extensions .inc and .php ?
  • 0

#3 Scotty13

Scotty13

    Member

  • Member
  • PipPipPip
  • 62 posts

Posted 23 February 2012 - 03:53 PM

include/common.inc.php...webpage cannot be found. Should it have two extensions .inc and .php ?

Yes, thats the name of the file. I've downloaded this script for free from a php script website. I just test that page and got the error...

Fatal error: Hacking attempt! in /home/myglobal/public_html/root/myvcphotos6/include/common.inc.php on line 1
Heres the script...

<?php

defined('PHPWG_ROOT_PATH') or trigger_error('Hacking attempt!', E_USER_ERROR);

// determine the initial instant to indicate the generation time of this page
$t1 = explode( ' ', microtime() );
$t2 = explode( '.', $t1[0] );
$t2 = $t1[1].'.'.$t2[1];

@set_magic_quotes_runtime(0); // Disable magic_quotes_runtime

//
// addslashes to vars if magic_quotes_gpc is off this is a security
// precaution to prevent someone trying to break out of a SQL statement.
//
if( !@get_magic_quotes_gpc() )
{
function sanitize_mysql_kv(&$v, $k)
{
$v = addslashes($v);
}
if( is_array( $_GET ) )
{
array_walk_recursive( $_GET, 'sanitize_mysql_kv' );
}
if( is_array( $_POST ) )
{
array_walk_recursive( $_POST, 'sanitize_mysql_kv' );
}
if( is_array( $_COOKIE ) )
{
array_walk_recursive( $_COOKIE, 'sanitize_mysql_kv' );
}
}
if ( !empty($_SERVER["PATH_INFO"]) )
{
$_SERVER["PATH_INFO"] = addslashes($_SERVER["PATH_INFO"]);
}

//
// Define some basic configuration arrays this also prevents malicious
// rewriting of language and otherarray values via URI params
//
$conf = array();
$page = array();
$user = array();
$lang = array();
$header_msgs = array();
$header_notes = array();
$filter = array();

if (is_file(PHPWG_ROOT_PATH .'local/config/multisite.inc.php'))
{
include(PHPWG_ROOT_PATH .'local/config/multisite.inc.php');
define('PWG_LOCAL_DIR', $conf['local_dir_site']);
}
else
{
define('PWG_LOCAL_DIR', 'local/');
}

@include(PHPWG_ROOT_PATH.PWG_LOCAL_DIR .'config/database.inc.php');
if (!defined('PHPWG_INSTALLED'))
{
header('Location: install.php');
exit;
}

foreach( array(
'array_intersect_key', //PHP 5 >= 5.1.0RC1
'hash_hmac', //(hash) - enabled by default as of PHP 5.1.2
'preg_last_error', // PHP 5 >= 5.2.0
'json_encode', // PHP 5 >= 5.2.0
) as $func)
{
if (!function_exists($func))
{
include_once(PHPWG_ROOT_PATH . 'include/php_compat/'.$func.'.php');
}
}

include(PHPWG_ROOT_PATH . 'include/config_default.inc.php');
@include(PHPWG_ROOT_PATH. 'local/config/config.inc.php');
if (isset($conf['local_dir_site']))
{
@include(PHPWG_ROOT_PATH.PWG_LOCAL_DIR. 'config/config.inc.php');
}

// that's for migration from 2.2, will be deprecated in 2.4
if (isset($conf['order_by']))
{
$conf['order_by_custom'] = $conf['order_by'];
}
if (isset($conf['order_by_inside_category']))
{
$conf['order_by_inside_category_custom'] = $conf['order_by_inside_category'];
}

include(PHPWG_ROOT_PATH .'include/dblayer/functions_'.$conf['dblayer'].'.inc.php');

if(isset($conf['show_php_errors']) && !empty($conf['show_php_errors']))
{
@ini_set('error_reporting', $conf['show_php_errors']);
@ini_set('display_errors', true);
}

include(PHPWG_ROOT_PATH . 'include/constants.php');
include(PHPWG_ROOT_PATH . 'include/functions.inc.php');
include( PHPWG_ROOT_PATH .'include/template.class.php');

// Database connection
try
{
$pwg_db_link = pwg_db_connect($conf['db_host'], $conf['db_user'],
$conf['db_password'], $conf['db_base']);
}
catch (Exception $e)
{
my_error(l10n($e->getMessage()), true);
}

pwg_db_check_charset();

load_conf_from_db();

if (!$conf['check_upgrade_feed'])
{
if (!isset($conf['piwigo_db_version']) or $conf['piwigo_db_version'] != get_branch_from_version(PHPWG_VERSION))
{
redirect(get_root_url().'upgrade.php');
}
}

load_plugins();

// users can have defined a custom order pattern, incompatible with GUI form
if (isset($conf['order_by_custom']))
{
$conf['order_by'] = $conf['order_by_custom'];
}
if (isset($conf['order_by_inside_category_custom']))
{
$conf['order_by_inside_category'] = $conf['order_by_inside_category_custom'];
}

include(PHPWG_ROOT_PATH.'include/user.inc.php');

if (in_array( substr($user['language'],0,2), array('fr','it','de','es','pl','hu','ru','nl') ) )
{
define('PHPWG_DOMAIN', substr($user['language'],0,2).'.piwigo.org');
}
elseif ('zh_CN' == $user['language']) {
define('PHPWG_DOMAIN', 'cn.piwigo.org');
}
else {
define('PHPWG_DOMAIN', 'piwigo.org');
}
define('PHPWG_URL', 'http://'.PHPWG_DOMAIN);

if(isset($conf['alternative_pem_url']) and $conf['alternative_pem_url']!='')
{
define('PEM_URL', $conf['alternative_pem_url']);
}
else
{
define('PEM_URL', 'http://'.PHPWG_DOMAIN.'/ext');
}

// language files
load_language('common.lang');
if ( is_admin() || (defined('IN_ADMIN') and IN_ADMIN) )
{
load_language('admin.lang');
}
trigger_action('loading_lang');
load_language('lang', PHPWG_ROOT_PATH.PWG_LOCAL_DIR, array('no_fallback'=>true, 'local'=>true) );

// only now we can set the localized username of the guest user (and not in
// include/user.inc.php)
if (is_a_guest())
{
$user['username'] = l10n('guest');
}

// template instance
if (defined('IN_ADMIN') and IN_ADMIN )
{// Admin template
$template = new Template(PHPWG_ROOT_PATH.'admin/themes', $conf['admin_theme']);
}
else
{ // Classic template
$template = new Template(PHPWG_ROOT_PATH.'themes', $user['theme'] );
}

if ( !isset($conf['no_photo_yet']) )
{
include(PHPWG_ROOT_PATH.'include/no_photo_yet.inc.php');
}

if (isset($user['internal_status']['guest_must_be_guest'])
and
$user['internal_status']['guest_must_be_guest'] === true)
{
$header_msgs[] = l10n('Bad status for user "guest", using default status. Please notify the webmaster.');
}

if ($conf['gallery_locked'])
{
$header_msgs[] = l10n('The gallery is locked for maintenance. Please, come back later.');

if ( script_basename() != 'identification' and !is_admin() )
{
set_status_header(503, 'Service Unavailable');
@header('Retry-After: 900');
header('Content-Type: text/html; charset='.get_pwg_charset());
echo '<a href="'.get_absolute_root_url(false).'identification.php">'.l10n('The gallery is locked for maintenance. Please, come back later.').'</a>';
echo str_repeat( ' ', 512); //IE6 doesn't error output if below a size
exit();
}
}

if ($conf['check_upgrade_feed'])
{
include_once(PHPWG_ROOT_PATH.'admin/include/functions_upgrade.php');
if (check_upgrade_feed())
{
$header_msgs[] = 'Some database upgrades are missing, '
.'<a href="'.get_absolute_root_url(false).'upgrade_feed.php">upgrade now</a>';
}
}

if (count($header_msgs) > 0)
{
$template->assign('header_msgs', $header_msgs);
$header_msgs=array();
}

if (!empty($conf['filter_pages']) and get_filter_page_value('used'))
{
include(PHPWG_ROOT_PATH.'include/filter.inc.php');
}
else
{
$filter['enabled'] = false;
}

if (isset($conf['header_notes']))
{
$header_notes = array_merge($header_notes, $conf['header_notes']);
}

// default event handlers
add_event_handler('render_category_literal_description', 'render_category_literal_description');
if ( !$conf['allow_html_descriptions'] )
{
add_event_handler('render_category_description', 'nl2br');
}
add_event_handler('render_comment_content', 'render_comment_content');
add_event_handler('render_comment_author', 'strip_tags');
add_event_handler('render_tag_url', 'str2url');
add_event_handler('blockmanager_register_blocks', 'register_default_menubar_blocks', EVENT_HANDLER_PRIORITY_NEUTRAL-1);
trigger_action('init');
?>
  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users