1. <?php
  2. $file = urldecode($_GET['I']); // Filename
  3. $folder = "/htdocs/images/"; // Folder containing files - can be absolute or relative to current directory
  4.  
  5. if (!preg_match('/$', $folder)) {$folder = $folder . "/";} // Adds trailing slash to $folder
  6.  
  7. // The line below essentially makes it impossible for script to roam outside of $folder or its subfolders
  8. $the_path = preg_replace('@\.@', '', $file, (preg_match_all("/\./", $file, $matches) - 1)); // Strips all periods except the one for the extension
  9. $filename = "{$folder}{$the_path}";
  10.  
  11. while (strrpos($filename, '//')) // Gets rid of these: //
  12. {$filename = preg_replace('@//@', '/', $filename);}
  13.  
  14. $path_parts = pathinfo($filename);
  15. $ext = $path_parts['extension'];
  16.  
  17. // Only the following types of files will be displayed with this script
  18. $mime['jpg']  = "image/jpeg";
  19. $mime['jpeg'] = "image/jpeg";
  20. $mime['gif']  = "image/gif";
  21. $mime['png']  = "image/png";
  22.  
  23. if (!file_exists($filename)) {die("File doesn't exist.");}
  24. if (!array_key_exists($ext, $mime)) 
  25. {echo "This type of file is not allowed to be displayed.";}
  26. else {header("Content-type: " . $mime[$path_parts[extension]]);
  27. header('Content-length: ' . filesize($filename));
  28. readfile($filename);
  29. }
  30. ?>