Using TimThumb Part 2: External Websites
Of all the TimThumb feature requests the most popular are being able to crop an image from a specified location, and being able to load images from external websites. Resizing images from external images was added at the start of 2010 and seems to be working really well.
Like all things TimThumb I tried to make it as easy as possible to use the external images feature, however I had to keep security in mind. Opening up external resizing would potentially open up the opportunity to inject code onto peoples websites. My solution to this was to restrict the sites that have resizable images to a select few.
By default TimThumb can resize images hosted on flickr.com, picasa.com, blogger.com, wordpress.com, and img.youtube.com. In my experience these are the sites people request to be able to resize from the most (actually Flickr is the most popular – I thought the others might be useful).
If you want to change this list yourself you will need to open up timthumb.php in your favorite text editor (notepad is fine) then find and update the $allowedSites array.
Usage
Usage for this feature is nice and easy. You use the same commands as you would when resizing any other image. Just specify the src parameter as mentioned in the Getting Started with TimThumb article and you will be golden.
Potential Problems
There are two areas where there could be problems with offsite image resizing.
- Folder Permissions. Accessing the external images can be slow so they are stored in the cache directory setup in getting started article. For this to work the ‘cache’ directory must be created in the same directory as timthumb.php and it must have it’s file permissions set to 775.
- Allowed Site Restrictions. As I mentioned earlier in this article there is a list of websites inside the TimThumb script and if you are trying to resize an image that is not on an allowed domain then it simply won’t work.
Demo
Not really sure a demo is needed for this but I made one anyway π – check it out the TimThumb External Image Resizing on the demo site.
Categories
Ben View All
Ben is a lifelong Nintendo fan who also likes to build websites, and develop games. He also buys way too much Lego.
This looks like it could be really useful for an export from an old site I’m doing, where the images aren’t part of the export, but the urls are. Once the old site goes down, will the cached version be enough, or does this still rely on the original image being present?
The temp files (for external sites) are kept indefinitely I think. The cache files (for resized images) get refreshed, but as far as I can remember that doesn’t happen for the external files.
Is there any way to remove limitation of external website?
How about $disallowed sites, might be handy.
Hello, how can I remove limitation for external website? I do not want to add website urls every time… thanks
Sweet been waiting for this a long time ago, to grab from my flickr photo stream, you rock mate
Hey Cris – glad you find it useful π
Hi, if you want to use timthumb in WordPress themes or plugins I suggest to reade this article http://www.wp-coder.com/wp-programming/how-to-create-wordpress-gallery-with-timthumb-2/
Thanks for the link however I’m not sure that article has a huge amount of helpful content in it. For starters the script is GPL – and secondly modifying the code for a theme is totally unnecessary and not recommended. If there are updates to the script then you will need to make those changes again. Currently I am releasing updates quite regularly so this could become quite a problem.
I’m having problems pulling images from media.tumblr.com. I’ve added it to the $allowedSites array, and tried hunting down the relevant code in the Cross Domain version, but to no avail.
Is this an issue with accessing tumblr by curl? or am I missing something.
Well, you have to check if there is any TEMP directory in …/wp-content/themes/”your theme”/ (where “timthumb.php” file is located). If not, you have to create it and set permissions to 755. π (example: “…/wp-content/themes/obscrure/temp/”)
Hi Ben!
I am using TimThumb with Mimbo free theme for WordPress. I have tried everything (updated to 0777, created the temp folder…) but still not able to see images from external URLs in homepage. I updated the theme’s timthumb with the latest code (which includes the allowed servers) but it didn’t work either… actually, it did not even show the pictures I have uploaded to my server. So I had to reverse to Darren’s version. I have read all the threads open about this known issue but I am a bit confused about the solution… is there any new recipe around to fix it? Having to upload all the pics to the server will be a big issue in my case π
thxs
maria
This isn’t a known issue. It’s probably just one tiny thing wrong with your setup. I am actually in the middle of writing a post on common problems with TimThumb, and how to solve them. It will be published in the next couple of days.
Hi Ben,
ummm, my problem seems to be common, as you may see a lot of people are having the same issue…
http://code.google.com/p/timthumb/issues/detail?id=102
hope you can throw a bit of light over this with your post.
π
ta
The problem is that people don’t know how to make the required changes. The code works fine so it’s not a technical issue I can solve with code. If you follow all of the instructions in the post above then it ‘should’ work.
How did you do this? Where do i go to do this….whicj file and where in the code? I have recently migrated a bunch of blogs and they tt script isn’t firing the images.
You need to edit TimThumb.php – there are comments in the file that explain what to change (this is mentioned in the article above).
The script allows you to define ALLOW_EXTERNAL which should allow any external domain to be used, but ALLOW_EXTERNAL does not appear to be referenced in the script.
Change line 603
if ($isAllowedSite) {to
if ($isAllowedSite || ALLOW_EXTERNAL) {and all should work well
You’ve been reading the source code π I have been playing with the source and added that in but I haven’t actually added the code to make it work π To be honest I had forgotten I had added the define, so I shall make it all work in the next update.
Hi Ben,
Thanks for the script, it’s great. Any possibility in allowing percentages for width and height anytime soon? Is that possible?
That would be great for fluid layouts.
Thanks again!
Libby
Hi Libby. Unfortunately percentages is not technically possible. TimThumb needs to know a width and height to be able to scale the image. What you would need to do is to set the width and height of your image in the html. This is how any images would be resized on a web page.
i like this script.. but how can i use a default image (eg. http://www.binarymoon.co.uk/default.jpg if the image is on an extrenal website
Glad you like the script π
Default images are left up to your website to decide. All TimThumb does is resize the images in you give to it. If there’s nothing to send to it then don’t display it or give it your default image.
Hi!
Is there any way to make TT work with Flickr urls like:
http://www.flickr.com/photos/jam343/1703693/
or
http://www.flickr.com/photos/10433743@N06/5340213219/
?
Thanks! =)
Ricardo
Not that I am aware of I’m afraid. Would need to have some sort of api, and that’s not really something I want to start building into TimThumb as that moves away from the simplicity of the script (ie – it resizes images)
Hi Ben,
Is there any tweak that make the thumbnails show for both images that are hosted in my own domain and external source simultaneously? If yes, could you tell me how?
I can have external images show up in the thumbnail, but then images hosted at my own domain is no longer showing in the thumbnail.
Hi – the information I posted above explains how to do this. If you are getting something different then you have modified the script incorrectly I’m afraid
Hi. I got it right now. Thanks. That’s really a nice script.
Hi Ben,
Thanks for the great script.
I’ve been trying to use the script to generate thumbnails for images hosted on posterous.com. For some reason, the script failed to work. I guess the image URL provided by Posterous is not actually the real URL as my internet browser gets forwarded to another URL everytime I access an image URL from Posterous. Have you ever come across this issue?
Thanks!
If you view a posterous image (right click, open image in new tab, or something like that) then it’s likely the image url will change. It looks like Posterous store their images on amazon s3/ cloudfront, so link to that, and make sure amazon is in the white list, and the resizing should work.
Thanks for the reply.
Yes, I have put Amazon S3 (the proper URL) in the white list but it didn’t work. I got an error message saying ‘Invalid src mime type:’ when I tried to access the Timthumb-generated image URL.
I also found out that there are some additional parameters in a Amazon-hosted image URL, e.g. AWSAccessKeyId, Expires, and Signature. Do you think these parameters prevent TimThumb from working? I tried to delete those parameters and access the image URL. I was forwarded to an XML page saying ‘Access denied.’
can you post a url you are using as an example please?
This is an example:
Posterous URL:
http://posterous.com/getfile/files.posterous.com/jenrusso/2HewI75bDcQ16Gps6jaeXhLX8BCZ5m5vgdh4CZsxNoLeTkceF6FT1wIHvAqK/PastedGraphic-3.tiff.scaled.500.jpg
Amazon S3 URL:
http://s3.amazonaws.com/files.posterous.com/jenrusso/2HewI75bDcQ16Gps6jaeXhLX8BCZ5m5vgdh4CZsxNoLeTkceF6FT1wIHvAqK/PastedGraphic-3.tiff.scaled.500.jpg?AWSAccessKeyId=1C9REJR1EMRZ83Q7QRG2&Expires=1295996551&Signature=lcu0CYpgzjfzlMjMHO%2Fk2sWHxD4%3D
As for the Amazon S3 URL, chances are that you can access it or that it will give you an XML error message saying that the request has expired (because it will have been a while since I post this message and the time you read it). You will then have to access the original Posterous URL to get new values for the parameters, i.e. AWSAccessKeyId, Expires, and Signature.
Thanks a million.
Ben, I replied to your previous comment the other day. Hopefully it didn’t get caught as spam.
Thanks.
Hi Hanna – it didn’t get caught in the spam, but it did require approval and I haven’t been online. I’ll take a look at the problem when I get a chance.
For the time being I would recommend linking directly to the amazon s3 image rather than posterous. The script doesn’t follow forwards so won’t work properly. Once downloaded the amazon image will be cached on your website so you won’t need to access it again.
Hello,
after hours of research and try and error unfortunately I have to ask for help. Unfortunately I am not that familiar with PHP.
I am using TimThumb with the MIMBO 3.0 theme – it works great with all pictures. Unfortunately I had to upgrade my server package so I try to optamize as much as possible so I decited to upload my pictures on a subdomain ‘images.my-website.com’. Since this change the thumbnails don’t work anymore.
1. problem: the MIMBO Version of TT ist a lot different that the recent version. I tried to paste single lines and refresh but a lot of them disabled TT for all pictures.
I added the lines in this article – I added the subdomain to the array but nothing changed.
2. the generated path to the image looks like:
/wp-content/themes/mimbo/scripts/timthumb.php?zc=1&w=70&h=140&src=/picture.jpg
with massege: “/picture.jpg not found.”
BUT when I edit it to:
/wp-content/themes/mimbo/scripts/timthumb.php?zc=1&w=70&h=140&src=images/picture.jpg
the thumbnail is shown correctly. I suppose the problem is than the subdomain ‘images’-part in ‘images.my-website.com’ has been ignored.
What can I do to integrate the subdomain to the path – and how can I change it without make it my old pictures disappear?
PS: as I moved from blogspot for a while a lot of my older pictures are hosted on picasa. They don’t show up eather. The same with imageshack.us.
Thank you for your time!
I just replaced the MIMBO-Version with the new TimThumb-Version that you tweeted. All old pictures work this time. I am happy to use the newest version. But the new pictures with the subdomain still don’t appear.
I right-clicked on the picture and received the error:
Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(../../../../../CIMG2531-640×480.jpg) is not within the allowed path(s): (/www/htdocs/w00baad6/:/tmp:/usr/bin:/www/htdocs/w00baad6:/bin:/usr/local/bin:/usr/share/php) in /www/htdocs/w00baad6/wp-content/themes/mimbo/scripts/timthumb.php on line 763
Warning: Cannot modify header information – headers already sent by (output started at /www/htdocs/w00baad6/wp-content/themes/mimbo/scripts/timthumb.php:763) in /www/htdocs/w00baad6/wp-content/themes/mimbo/scripts/timthumb.php on line 790
file not found
Query String : zc=1&w=70&h=140&src=/picture.jpg
TimThumb version : 1.22
Glad the new version is working well for you π
Do you have a url I can look at so I can see the problem for myself?
Sure,
it’s http://www.magi-mania.de (if you don’t mind, maybe you can edit and remove afterwords).
I left the article BEI INGLOT HAT MAN BLUT GELECKT (German) with the subdomain-thumbnail on the homepage. All newer ones I edited and changed the url (destination folder) so they show up correctly for the readers.
Thanks a lot.
If you right click and view the image you get this: http://www.magi-mania.de/wp-content/themes/mimbo/scripts/timthumb.php?zc=1&w=80&h=65&src=/inglot-preisliste-imats.jpg
This tells me the image is here: http://www.magi-mania.de/inglot-preisliste-imats.jpg
And that file doesn’t exist. You are going to have to update the image urls I am afraid π
Thanks Million! man i was looking through the library to change … and end up with big headache lol
Ben, Is there any code for thimbthum that make the thumbnails show for both images that are hosted in my own domain and external source simultaneously? If yes, could you tell me how?
Hi Vino – what you’re asking for is exactly what happens now. The thumbnails should work for your website and the sites mentioned in the allowed_sites array.
There is something wrong with validate_url regex function. It gives false positive results. For example: http://i.ytimg.com/vi/dMH0bHeiRNg/default.jpg
This is the location of the thumbnail of a youtube video coming from API (Not like this: img.youtube.com/vi/dMH0bHeiRNg/0.jpg ). However, i.ytimg.com form gives a false positive “invalid url” error. The same is true for vimeo and dailymotion thumbnails.
Why do we need a validate_url by the way? We will try to take it by curl (or file_get_contents) and if url is wrong we will get an error there already. I think this should not be an error. It should be an additional warning to display if curl gives an error also, like “error reading file from blabla. please check url: http://i.ytimg.com/vi/dMH0bHeiRNg/default.jpg“.
I meant “false negative”, not false positive π
π I got what you mean. Thanks for the report. I must admit I googled for the regex. I shall see if I can find something better.
Although i am not as technical as Puck, I suspect i have the same issue.
I am using the mshots ability of wordpress to get a preview thumb.
From my frontpage code i get this:
domain.com/wp-content/themes/themename/scripts/timthumb.php?src=http://s.wordpress.com/mshots/v1/http%3A%2F%2Fwww.binarymoon.co.uk
which results in:
invalid url
Query String : src=http://s.wordpress.com/mshots/v1/http%3A%2F%2Fwww.binarymoon.co.uk
TimThumb version : 1.25
But, http://s.wordpress.com/mshots/v1/http%3A%2F%2Fwww.binarymoon.co.uk is a valid and working url.
So somewhere, something is going wrong π
you can’t use mshots with TimThumb I am afraid. You can specify a width when you call the mshots function, but otherwise it’s not going to work π
Hi Ben, I’m having the same trouble as Puck with the ytimg.com urls.
http://i.ytimg.com/vi/ldzMVqSgTT4/0.jpg
exists, but
http://testtrack.benfrain.com/wp-content/themes/testtrack/functions/timthumb.php?src=http://i.ytimg.com/vi/ldzMVqSgTT4/0.jpg
reports an invalid URL.
i managed to implement the regex from:
http://daringfireball.net/2010/07/improved_regex_for_matching_urls
and that seems to “validate” the ytimg.com images. certainly not checked extensively (i wouldn’t know how- regex loops like voodoo to me), but here is the new pattern:
$pattern = '#(?i)\b((?:[a-z][\w-]+:(?:/{1,3}|[a-z0-9%])|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()]+|\(([^\s()]+|(\([^\s()]+\)))*\))+(?:\(([^\s()]+|(\([^\s()]+\)))*\)|[^\s`!()\[\]{};:\'".,?«»ββββ]))#';
however, i have to wonder if Puck isn’t right about the valid url check being redundant. if i mod the script to
function validate_url ($url) {
return true;
}
or i could probably have commented out the
if (!validate_url ($src)) {
display_error ('invalid url');
}
but since i was playing w/ the regex pattern I was in the area and went w/ the former. either way, essentially removing the URL validation-
then i tried passing an improper URL and i get the error that the file wasn’t found… which makes sense as if you pass an invalid URL you aren’t likely to find the file!
Also getting a file not found error even when using the cat image you use in the demo. What would cause this?
Still unable to get this working.
Hi
Thanks for the lovely script and writing such a nice Tutorial.
I have a doubt and I want to share one of my weird experience.
First My Doubt
—————
If we want to turn off Caching .. I do not think it really turns off. Though we have a option defined in start for that.
My Weird Experience
——————–
First of all it is confusing. At some places of your tutorial you say .. Create Cache and Temp file and have 777 permission on them, and at same place 775 permission. I gave 777 to temp and cache dirs on a linux server. (Though in all of your script i could not locate “temp” dir and its use. π but i created temp dir just to be obedient to you)
On going to
http://www.myserver.com/tim/timthumb.php?src=http://farm3.static.flickr.com/2340/2089504883_863fb11b0a_z.jpg
I was getting 403 Forbidden error.
I then disabled the code of CURL so that script can use file_get_contents function . It did not helped me.
//if (function_exists (‘curl_init’)) {
if($skipthisstep == “yes”) {
Then I added following line on top to see what input the script was getting
if (isset($_GET[src]))
$bensrc = $_GET[src];
else
$bensrc = “”;
echo $bensrc;
exit();
I am very much surprised on the results that i saw.
If i do this
http://www.myserver.com/tim/timthumb.php?src=http://farm3
The script echoes “http://farm3”
http://www.myserver.com/tim/timthumb.php?src=http://farm3.
The script echoes “http://farm3.”
http://www.myserver.com/tim/timthumb.php?src=http://farm3.static
I get 403 Forbidden error instead of any echo from script.
It has nothing to do with your script as your script code even do not gets executed. This is what is happening to most people who are saying they are getting 403 Forbidden page error. This seems to be some weired server setting.
This is most weird error i have seen. The GET variable is dying on a DOT .
So i added urlencode along with str_replace of all dots in urls with a replaceable string (BENDOTT). And inside script i changed them back to dots.
Now my code is like this.
First lines after <?php
if (isset($_GET[src])) {
$bensrc = $_GET[src];
$bensrc = str_replace(“BENDOTT”,”.”,$bensrc);
} else
$bensrc = “”;
and a little below that look for
and comment it out and add $src = $bensrc; code
// sort out image source
//$src = get_request (‘src’, ”);
$src = $bensrc;
And WOW !! The code now works.
Make sure the place where you call the code you urlencode the URL and also convert the dots .
Ex: For a 300 width image at 80% Quality
$flickrpath = “http://farm3.static.flickr.com/2340/2089504883_863fb11b0a_z.jpg”;
$benurl = “300×300“;
This way all dots will be converted to BENDOTT and when received by resize script they will be converted back getting you rid of 403 Forbidden error.
I hope it helps someone.
Regards
BSMob.com Mobile Dev Team Member
Thanks for the pointers. I would always recommend people urlencode the paths as well, in fact I say so in the TimThumb tips and tricks article I wrote a few months ago.
Regarding the temp directory, that’s no longer needed. If you’re using the latest version of the script, which it seems you are, then you can forget about that. I should update the tutorial to reflect this.
In the above post
$benurl = “300×300”; is actually the HTML code that got executed here
The script is working perfectly, even with many images on the same page (tested with 120 images). Still there is something missing!
Is it possible to do html/css resizing when the external host is NOT in the $allowedSites ???
In other words, i would like the TimThumb.php to ignore any image that is not allowed, and let css/html to do the resizing.
Is it possible?
Thanks in advance
I’d suggest you do that inside the theme/ site code, there’s no way to do this in TimThumb currently.
It would be a nice addition for a future version though, to provide options for not-allowed images handling.
another question:
what can i do for image urls of this kind
http://i533.photobucket.com/albums/ee337/quiqliquid/Labels/Key Music/folder-3.jpg
there is blank space in the url, image is not parsed.
even if i use
http://i533.photobucket.com/albums/ee337/quiqliquid/Labels/Key%20Music/folder-3.jpg (%20 instead of space)
again image is not parsed.
is there a known solution for this?
Hi, i have one question.
If you got add a post thumbnail in 3.2.1, and use the βFrom URLβ option, there is no link to set the image specified as the thumbnail. You can only put it in the post. So can you fix this?
I don’t understand your request I’m afraid.
I think Rodrigo is talking about a WordPress plugin that uses timthumb.
@Puck No.
When i have to choose one thumbnail, the page have 3 tabs right?
“From PC”
“From URL”
“From media”
but i only can set one thumbnail from PC or from media, for other words i have to host the thumbnail on my server and i would like to know how can i fix this.
My English is not very good. π
I would like to have any external webpage images loaded. Instead of having a whitelist, how do I allow all sites?
Thanks
@Karl define (‘ALLOW_ALL_EXTERNAL_SITES’, true);
I’m having trouble trying to get the thumbnails to resize. I edited the timthumb.php to get the images to a 200×200 rather than the original thumbnail image size you added, but it stays the same. I changed the chmod and deleted the cached files, but nothing changes :\ Any help?
HI ben,
timthumb.php is not working on my site.. i have changed the directory permissions too. they are 777 now..
http://66.226.29.23/mosesblog/
note: script was working but as i moved my site from one server to another it stopped working….
Hi, noob question re allowing external sources. I get what I’m supposed to do, and where I’m supposed to do it, but I don’t know the proper syntax for HOW to add the external domain.
How do I add the domain I want allowed below? BTW, the domain I want allowed is: http://rlv.zcache.com (it’s Zazzle)
// If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains.
if(! isset($ALLOWED_SITES)){
$ALLOWED_SITES = array ();
}
Thanks!
Can you provide an example, because I don’t know how to modify this code.
I have a gallery plugin that uses TimThumb, but it is failing. I’ve checked permissions on folders, but it might be because I’m behind a CDN, or not using “absolute paths”.
I’m just trying to fix this, if I can.
I read your article on TimThumb and CDNs, but I didn’t understand what to do, or even if I need to do anything.
I use prettyphoto (does this deploy TimThumb?) and generally have no image problems. Just with this gallery plugin.
Any help much appreciated.
I am afraid I don’t know what prettyphoto uses.
The allowedSites array is at the top of the script however it’s no longer called allowedSites, it’s now labelled as $ALLOWED_SITES – just search through the code – it should be straight forward.
Ughhh, this script is a pain. Where is the temp folder suppose to be located for this?
Sorry you find it hard to use. The temp directory is no longer required, you now only need the cache directory.
Hi there,
Moved servers and updated timthumb to the latest version. Now thumbs work for local files but not for external links such as youtube screencaps.
Both define (‘ALLOW_EXTERNAL’, TRUE); and define (‘ALLOW_ALL_EXTERNAL_SITES’, TRUE);
are on. However, i’m still having no luck with something like this:
http://noisecomplainerz.com/wp-content/themes/arras/library/timthumb.php?src=http://img.youtube.com/vi/1RRd_m18PFM/0.jpg
Thanks for the script.. trying to resize the external images now
Awesome function! I’m using this to resize amazon Partnernet images that I retrieve over the API. Really easy! Thanks a bunch!
Hi. I am trying to help a friend: http://pedagogul.com/ His WP blog uses timthumb and it worked for local hosted pictures, but now he is posting pictures from external sites (picasaweb.google.com) and I can’t seem to make them appear on the homepage
The error log says:
[06-Aug-2012 17:34:01 UTC] TimThumb Debug line 1127 [0.000045 : 0.000000]: Starting new request from 5.13.71.112 to /wp-content/themes/mimbo/scripts/timthumb.php?zc=1&w=105&h=85&src=/-ElZ4SOP5Q4Y/UB5zhMTbgyI/AAAAAAAAADk/RTP-iCffKII/s128/pedagogo_gaze.jpg[06-Aug-2012 17:34:01 UTC] TimThumb Debug line 1127 [0.001420 : 0.001366]: Could not find the local image:
My question is shouldn’t the src look like this:
wp-content/themes/mimbo/scripts/timthumb.php?zc=1&w=105&h=85&src=https://lh6.googleusercontent.com/-ElZ4SOP5Q4Y/UB5zhMTbgyI/AAAAAAAAADk/RTP-iCffKII/s128/pedagogo_gaze.jpg?? Why is the script shorting it? why is it cutting the first part, the domain..?Or am I looking the problem at a wrong angle? Thanks for any kind of help.
It’s the theme that is changing the image path – not the script. You’ll need to change how the theme manages the image thumbnails
Hi, thanks for the response. Any advice an how to do that? How to change the way the theme is managing thumbnails? thank you!
I have an issue with accessing the absolue URL of the images generated by the timthumb.php. I was doing SEO on my website, when I found about 10, 400 BAD REQUEST errors. I took a look at the URL it was giving me for each one, this is an example one of them:
http://927creative.com/wp-content/themes/kingsize/timthumb.php?src=http:/927creative.com/wp-content/uploads/2012/07/AudioSolutions.jpg&w=220&h=140&zc=1&q=100
Now the error is obvious, in this url like all the other urls it is missing a backslash in the ?src=http:/“/” . Where in timthumb.php do I inset this backslash?
You need to edit the theme/ website content, not TimThumb. The image is wrong wherever the image path is set so you need to change the stored path.
i cannot use this with google drive. Can help?
I doubt it will work with Google Drive I’m afraid.
is there any image hosting service that best work with timthumb
Hi
is there any way we can remove the timthumb.php from url query string, we need to support for seo based.