[technimad]

I've created scripts like these as part of our home-brewed CMS system in the early 2000's.

Nice and easy dos tool. Enumerate the width and height parameters and bring down the server fast.

Better way to do it is to specify, or allow admins to specify, a set of named sizes and only allow these named sizes.

You could also think about adding parameters to determine the crop, or force aspect ratio etc. (with the same risk of dos)

[noir_lord]

I did both and used a .htaccess rule to look for a sharded filepath based on the hash of the image requested and parameters in the url.

So you could o a1jjajda.jpg?size=200x150 and it would check for the existence of a/l/jjajda/200x150.jpg and if it didn't exist it would create it from a/l/jjajda/original.jpg store it at the right place and serve it.

.htaccess file looks meant I didn't have to boot PHP to serve an image the second time (we where using laravel and even optimised it takes 30-40ms to come up) and in 95% of cases at all (particulary since I then wrote a shell script that trawled the paths, built a list of common sizes and named presets and requested them when the server was quiet).

It worked out pretty well actually and had the benefit of relying on extremely robust and well tested technology.

That was some hinky looking regexs though.

    RewriteCond %{QUERY_STRING} ^presets=([a-zA-Z0-9_]+)?$
    RewriteRule ^files/(.*)/(.*)/(.*)/(.*) files/$1/$2/$3/%1_$4? [L,QSA]

    RewriteCond %{QUERY_STRING} ^options=[\[|\{]?([0-9]*x[0-9]*)[\]|\}]?$
    RewriteRule ^files/(.*)/(.*)/(.*)/(.*) files/$1/$2/$3/%1_$4? [L,QSA]

[technimad]

Thats exacly how I did it, and than the creation of a new cached file was handled by a PHP script ran as the 404 errorHandler which output the image to both the browser and file system.

Still pretty dangerous stuff i.e. ?size=10000x2000000

[noir_lord]

Nah, I'm a cynical fucker, I had...

    $x = $x > 9000 ? 9000 : $x;
    $y = $y > 9000 ? 9000 : $y;

I also had checks for negative values and that what I got actually made sense as an integer, since well it's the internet and a get request, they can put anything.

Tbh even 81MP was pushing it but I got to put the comment

// check and limit maximum image size // it's over 9000!

As someone who was around online back then how could I resist.

EDIT: Just remembered, I had to really resist the urge to change the returned image to a raised middle finger if either parameter was out of limit, not because I didn't think it was funny but because with my luck it'd be me that fat fingered it.

[geon]

Having the resizing api exposed publicly lile in the ajax example is definately a bad idea.

The second example (labeled "html") demonstrates using it entirely serverside, which would be fine. That way, only the filename of the cached file is exposed.

...Which was how I did it in the late 90's.