Problem using PHP script as image src in ProcessWire

[Juergen]

Hello @ all

I want to create a captcha image for a form, which can be reloaded on demand, if the user cannot read the captcha. The form will be created by a module, that is why this question is inside this category.

For this reason I want to create the captcha image on the fly by using a PHP file as image source instead of an image file.

// in a template file
$path = $config->urls->assets.'files/captchaimage.php';
echo '<img src="'.$path.'" />';

As you can see: the image source is not an image file (fe. captcha.png), it is a PHP file which creates the image on the fly.

I have added this file to site/assets/files because this folder can be reached from outside.

The captchaimage.php consists of the following code (only for testing purposes):

<?php
header("Content-Type: image/png");//change the php file to an image
$im = @imagecreate(110, 20)
    or die("Cannot Initialize new GD image stream");//creates an image with the resolution x:110 y:20
$background_color = imagecolorallocate($im, 0, 0, 0);//create a color with RGB
$text_color = imagecolorallocate($im, 233, 14, 91);
imagestring($im, 1, 5, 5,  "A Simple Text String", $text_color);//draws text to the image with the font:1 xpos:5 ypos:5
imagepng($im);//sends the image data to the user
imagedestroy($im);//destroys the image from the server
?>

This is not the real code for producing the captcha - it is only a simple code to create an image.

My problem is, that I cannot output the image on the template. I always get the message, that the image could not be loaded.

Can someone point me in the right direction, why this does not work?

Thanks in advance

[teppo]

41 minutes ago, Juergen said:

I have added this file to site/assets/files because this folder can be reached from outside.

...

My problem is, that I cannot output the image on the template. I always get the message, that the image could not be loaded.

As a security feature ProcessWire's .htaccess file blocks access to any PHP files in assets directory: https://github.com/processwire/processwire/blob/master/htaccess.txt#L383:L384. And there's also a separate (fallback) .htaccess file in /site/ or /site/assets/, which does the same.

If you want to provide direct access to a .php file, you'll have to...

• poke a hole in these rules on your own site (you could do that by creating a .htaccess file that you put on a specific folder, in which you specifically allow access to the file you know to be safe), or
• route the request via ProcessWire, or
• put it into a directory that is not protected in this way (such as root path).

[Juergen]

Thanks @teppo

I have thought that this will be the problem. I think I will create an extra folder with the required permissions for this reason.