protecting images?

rhs

greetings, php gurus,

i've found a lot of helpful information on this forum in the past, but this is my first time posting. this is a great community!

my site uses php to authenticate users from a mysql database, and maintains state with php sessions. the system works great (so far!) for protecting pages, but i'd also like to to keep unregistered viewers from viewing images by typing in an image url, bypassing the security system on the php pages (our product is online comics, so the images are really what people are coming for).

i think the ideal solution would be to stick all my images a level above my index page in the directory structure (if my index page is located at mysite/httpdocs/index.php, my images would be located in mysite/images/), but unfortunately, my hosting company doesn't give me enough access to put files there.

so i had this crazy idea that i could use .htaccess to protect a folder, and then write a php script to supply a username/password pair every time a page needed to open an image--or something--

obviously, i don't really understand how .htaccess works. if you have any ideas, or can point me in the direction of a good tutorial, i would be very grateful.

thanks so much!

rachel

Aeiri

Just put a .htaccess un/pw on the folder, and in HTML use:


<img src="http://www.domain.com/folder/comics.php?id=<?=$id?>" />

And in this "comics.php" file it opens a file in this .htaccess folder (PHP bypasses all .htaccess un/pw, so none are needed) and output it through some built it functions that PHP has to send image data based on what "$id" is. I haven't worked with these much, let alone at ALL, so I can't help you with that... however, I can point you to somewhere that can:

http://www.php.net/manual/en/ref.image.php

All the image functions are there as far as I know...

Hope this helps you... 😃

theeper

And in this "comics.php" file it opens a file in this .htaccess folder (PHP bypasses all .htaccess un/pw, so none are needed)

Dunno what he means by this, but it is nonsense. PHP doesn't look for .htaccess files, but if there is one that limits the directory, the webserver will not be able to return the page to the browser.

In other words, if comics.php is looking in an .htaccess protected dir for a page, when the webserver returns the page to the browser, it will prompt the user for a un/pw combo.

What you need to do is prevent users from viewing an image directly or linking them inline inside their page. This is usually handled at a lower level (although I am sure it could be done somewhat reliably using PHP, and I am equally sure the referer could be spoofed easily enough).

Essentially, you need to check the referer. In other words, if your site is www.abc.com and someone tries to link an image into www.bcd.com, your webserver doesn't allow it. This can be done with .htaccess files, but not by using a username and password.

It is preferrable to do this in the webserver config files. Assuming you are using Apache, you would add something like this to your httpd.conf file.

SetEnvIf Referer "^{http://www.abc.com/"} local_referal
SetEnvIf Referer "^$" local_referal
<Directory /web/images>
Order Deny,Allow
Deny from all
Allow from env=local_referal
</Directory>

output it through some built it functions that PHP has to send image data based on what "$id" is

Not sure what he means by this either, sounds like some custom functions, not built in PHP functions.

7khat

Not sure what he means by this either, sounds like some custom functions, not built in PHP functions. [/B]

Does [he] mean fpassthru() ?