taking filename though get is always considered to be “dont do it” practice…as far as i know…
in this script lots depends upon
‘thumbnail.inc.php’
how it is filtering type of file it accepts
other problem (may be you are concerned) may be bandwidth theft,if somebody spots this file then they might use it as image resize and your bandwidth will be used…or launch an attack…
when we think in small scale,it may not sound that bad…
but if your competitor loops 1000 images to your file then problem will start…
one solution i can think of,
why dont you make it to accept relative path only rather than absolute
next solution might be to check base_url there are function in php for that…
thought not 100% safe they can be useful…