www-ssl/ShowUserPicture.php


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

<?php
  include "../../camp2011/includes/config.php";
  include "../../camp2011/includes/error_handler.php";
  include "../../camp2011/includes/config_db.php";

  if(!isset($_SESSION))
    session_start();

  include "../../camp2011/includes/secure.php";

  // Parameter check
  if(!isset($_GET["UID"]))
    $_GET["UID"] = "-1";

  $SQL = "SELECT * FROM `UserPicture` WHERE `UID`='" . $_GET["UID"] . "'";
  $res = mysql_query($SQL, $con);

  if(mysql_num_rows($res) == 1) {
    // genuegend rechte
    if(!isset($_SESSION['UID']) || $_SESSION['UID'] == -1) {
      header("HTTP/1.0 403 Forbidden");
      die("403 Forbidden");
    }

    // ist das bild sichtbar?
    if((mysql_result($res, 0, "show") == "N") AND ($_SESSION['UID']!=$_GET["UID"]) AND ($_SESSION['CVS'][ "admin/UserPicture.php" ] == "N")) {
      $SQL = "SELECT * FROM `UserPicture` WHERE `UID`='-1'";
      $res = mysql_query($SQL, $con);

      if(mysql_num_rows($res) != 1) {
        header("HTTP/1.0 404 Not Found");
        die("404 Not Found");
      }
    }

    // bild aus db auslesen
    $bild = mysql_result($res, 0, "Bild");

    // ausgabe bild
    header("Accept-Ranges: bytes");
    header("Content-Length: " . strlen($bild));
    header("Content-type: " . mysql_result($res, 0, "ContentType"));
    header("Cache-control: public");
    header("Cache-request-directive: min-fresh = 120");
    header("Cache-request-directive: max-age = 360");
    echo $bild;
  } else {
    header("HTTP/1.0 404 Not Found");
    die( "404 Not Found");
  }
?>