Thumbnail Creation via PHP

I got a bit tired of numerous security holes and sheer bulkiness of other thumbnail generation scripts, so decided to build my own from scratch, for local images only. Simply upload, create a writable cache directory and parse the image through the PHP script like so:

<img src='thumb.php?src=./images/photo.jpg&size=400x300' />

It's super simple and only 155 lines in total. You can specify the width and height, or just the width so the height will get calculated automatically and vice versa. It also allows you to set a maximum width/height, which is best suited for photo thumbnails.


  • File based cache
  • Automatic deletion of expired cache files
  • Optional browser based cache via the IF_MODIFIED_SINCE HTTP header
  • Multiple size types
  • Options whether to crop, trim, zoom and set alignment
  • Set sharpness based on a percentage midpoint between two values, so you can specify the strength of the sharpness rather than just turning it on or off

View the code and usage instructions on Github

18-Jul-2012 at 1:00pm

Joel wrote:

Nice script, will this suffer from having a huge number of cache files in one directory if you wanted the expiry to be a bit more long term?

Jamie Bicknell

Jamie Bicknell wrote:

The maximum number of cache files would be relative to the number of images processed through the script, so if you have 1000 images then there'd most likely always be 1000 cache images at some point.

Changing the expiry time means that there's simply more time to reach the maximum number of cache images.


Daniel wrote:

I'm a bit concerned at the security measures in place for this. With your script as is, it's possible to pull images from parent directory's which could pose a security risk.

I recommend adding in security measures to ensure they're accessing only the directory that the user specifies, and disabling schemes such as http through the config.

Jamie Bicknell

Jamie Bicknell wrote:

Hi Daniel, thanks for dropping by and leaving a comment.

With my script, the image must be local to the script so it won't work for external images hosted elsewhere (TimThumb has a lot of security problems due to this).

My script doesn't allow images to be loaded via HTTP, as you'll notice in the source it checks the if a URL is given and will convert the URL to a path and check for the file via the path.

As for accessing images from the scripts parent directory, this is a must have feature for cases such as WordPress where the Thumb script would be in a theme or plugin file and accessing the uploads directory.

If you'd like to discuss security further, we can chat on the Github repo page by creating an issue

  • (optional)
  • Security Code