[Resolved] How to Protect a file inside a folder....

thedream

Hi there,

Here is my problem:

I have a data base of 20.000 images, managed by Mysql.
I use a system of paiment by telephone (allopass.com ).
When the Internet user in chosen its logo of image, it happens on the page " tollaccess.php ", it brings in a code, and if the code is valid, the display.php page shows the image cut real.
During the ttransaction, ID of the image is kept(preserved).

The problem, is that the source of the image is visible, if we show the code source of the page.
What I would like to do is to make impossible, the download of the other images, directly by means of the url address, if he had no validation of the code Allopass.com. for example:
www.website.com/image/image_13.jpg

This system uses cookies.

If we call the display.php page? Image_13.jpg, the system works very well, we are reloaded on an error page .

But how make of automatic manner, to prevent the execution of:
www.website.com/image/image_13.jpg?

Thank you in advance,
MARC-ANDRÉ😕

zingbats

right.

Disable right click, and put the page with the image in a frame.

Put a script so that you cannot access the page within the frame without being in the frame.

That way, they cannot right click to go view source; and, they can't use the menu because they will see the frame HTML not the page html.

laserlight

zingbats' method is easily defeated.

There are a few possible solutions.

One solution is to name the images such that the code becomes the image name.
Another might be to generate the image using say, the GD library.
So a given code retrieves the corresponding image from the database, and creates a temporary image with it.

I suspect that there could be say, a htaccess solution, but I'm not too sure of that.

feldon23

You somehow need to make it so if there is no Referrer, then the image doesn't get displayed.

trooper

OK so it may be easily defeated but try and explain HOW - that way we all know. And therefore we all learn

😃

Originally posted by laserlight
zingbats' method is easily defeated.

There are a few possible solutions.

One solution is to name the images such that the code becomes the image name.
Another might be to generate the image using say, the GD library.
So a given code retrieves the corresponding image from the database, and creates a temporary image with it.

I suspect that there could be say, a htaccess solution, but I'm not too sure of that.

feldon23

Originally posted by trooper
OK so it may be easily defeated but try and explain HOW - that way we all know. And therefore we all learn

Step 1. Turn off javascript.

Step 2. Reload

Step 3. There is no step 3.

php4geek

create an image displayer PHP script, so that if the refferer is not from your site, then they cannot display the image

<?php
  function isRefererOk( $referer ) {

  header( "Content-type: image/jpeg" );
  $secret_folder = "/../secret_folder/"
  if ( isRefererOk( $_SERVER[ "HTTP_REFERER" ] ) ) {
   $img = imagecreatefromjpeg( $secret_folder . $GET[ "image_file_name" ]. ".jpg" );
  } else {
    $img = imagecreatefromjpeg( "invalid.jpg" );
  }
  imagejpeg( $img );
  imagedestroy( $img );
?>

thedream

thank you guys for all of that!

I have found too an another interessing trick:

Using the referer, but directly with a .hataccess file inside the folder of the images:
Content of .htacces:

SetEnvIfNoCase Referer "^[url]http://www\.mywebsite\.com/[/url]" local_ref=1
        <FilesMatch "\.(gif|jpg)">
            Order Allow,Deny
            Allow from env=local_ref
        </FilesMatch>

And we get it!
If the image is called from the navigator by a page done by the webmaster, the image is displayed, if you enter the image adress in the url address bar, YOU DON'T GET IT !!

In fact you can find this on the Apache manual.

Thank you to all of YOU,

Marc-André
🙂