Migrating from phpThumb v1.7.11 or older

Migrating from phpThumb v1.7.11 or older

• These notes apply only to users calling phpThumb.php Users instantiating their own phpThumb object should be unaffected

If you are upgrading from phpThumb v1.7.11 or older, you may notice some changes in more recent versions of phpThumb that make it more complex than a simple overwriting of the previous version. These changes are designed to address some potential security issues and to encourage more secure configurations.

The most notable change is that high-security mode is enforced (or at least strongly encouraged). This means that every call to phpThumb.php must be made with a "hash" parameter, which is derived from the parameters with which phpThumb.php is called, plus your secret password as configured in $PHPTHUMB_CONFIG['high_security_password']. You are encouraged to set a complex (either obscure characters, or a long passphrase, or both) -- a random password generator can be found at https://www.silisoftware.com/tools/password-random.php if you need help.

There is a helper function phpThumbURL() at the bottom of phpThumb.config.php that generates the URL for phpThumb.php with the required hash. Call it like

echo '<img src="'.htmlspecialchars(phpThumbURL('src=/images/pic.jpg&w=50', '/path/to/phpThumb.php')).'">';

which will give you an image tag that looks like <img src="/path/to/phpThumb.php?src=/images/pic.jpg&w=100&hash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">

The other notable change is that debug mode is off by default and that it cannot be enabled on a production server, if it is enabled it will always show debug information, not processed thumbnails. Leave it off unless there is a specific problem you're troubleshooting.