use this script:

if ($SERVER["HTTP_REFERER"] != "") {
$image = $GET["my_image_path"];
header ("Content-Type: application/octet-stream");
$fp = fopen($image,"r");
echo fpassthru($fp);
} else {
header('Location: $GO_SOMEWHERE');
}

Originally posted by joe-php
I would like to call images as...
<img src="showimage.php?file=123"> - that way, people don't know the real path.
Any ideas on how this might be done?

Hi,
you can do exactly what you wrote:

<img src="showimage.php?file=123">

And the showimage.php is some like this:

 
//connection to db - $file is 123...

$query="select filename from <imagedb> where id=$file"
$result=mysql_query($query) or die ("Error: ".mysql_error());
$row=mysql_fetch_row($result);

header('Content-type: image/jpeg');
readfile($row[0]);

See you

You will need to setup a script that:

1. Retrieves the image info (file name, content type, image data)

2. Sends the header info (content-type = image/jpeg or image/gif or whatever, optional would be a file name but I don't remember the header name for that)

3. Echo the image data to the browser

4. or see above code - beat me to the post!

brilliant!

bad76's script worked well! this will be very useful!

Hello,

I was also trying to hide my photo download path from browsers.

This header method seems to be a good way to do it but I have found a big hole and cannot find a way to plug it.

What I'm doing is this: to prevent hotlinking to my photos, I want to totally hide their path (folder has a crazy name). I call each photo with something like display.php?id=photoid. But doing this, anybody could easily type in their browser the exact same thing and hotlink to the photos without actually knowing their path by calling the php, so hiding the path that way would not be very useful.

So what I do against that is that I pass a session value and in the display.php file I test for that session value before sending the right header. That session value has been set by another php script. So what I'm doing is make sure that the photo is displayed only if display.php has been called by that other script. This prevents hotlinking. The display.php will unset that session value when sending the photo in the header.

So that works well, it hides the path, and prevents hotlinking as well.

BUT, here's where the hole is:
With a browser, I try to type directly display.php?id=photoid. Of course it works as expected, and doesn't display the photo. Now I go through the website to display the photo normally. It works and displays the photo. Now, because of memory cache, by trying to retype the direct address in the browser or with a right combination of back/forward, I will be able to display the photo directly in the browser even though it is forbidden. The browser will simply pull the photo out of the cache(even though I sent all the necessary headers to prevent caching).

But what is even worse, is that doing this, it will display in the location bar not "display.php?id=photoid" as it would if calling it directly was allowed but curiously the full path of the photo, revealing the directory name on the server.

Now I'm trying to find a way to prevent that. If I stop the session variable check then the photo will be displayed without interdiction. The path will not be revealed then, but hotlinking will be possible....

I hope I didn't put everyone to sleep with all the verbose

David.

Hi David,
sorry that I didn't post it, but that's the way I finaly realized it too, by using a session variable.
But what u should do additional is to use the if-query that looks for the $_SERVER["HTTP_REFERER"]
If there's no referer the picture-script is not called out of another page

So your statement could look like this:

if ($_SERVER["HTTP_REFERER"] != "" && isset($_SESSION["myVar"])) { 
    // showPicture
} else
{ 
    header('Location: $GO_SOMEWHERE'); 
}

Thanks Steffel.

The referer is something I tried first but some time during my scripting stuff the referer info disappears. The way I display my photos is kinda complicated. In addition to a couple php scripts there is also a Javascript popup. And in the middle of all that stuff the referer value is lost and I can't use it for a reliable test.

What I would like to find out is how to use the header and a the same time not reveal the path through that "bug" I mentioned.

There is a solution that would settle that whole thing, which is to include all the photos inside the MySQL database that I use already (this way, there is no hotlinking or folder path to get the photos from), but I was trying to avoid that.

Drop a .htaccess file into the images folder so even if they do know the name of the folder, they can't access the images directly.

mtimdog, that's another way to do it. However, I haven't been able to. I don't remember excatly what I put in the .htaccess but somehow I wasn't able to make it work. I need to have another look at that.

I should add that my web host offers a built-in function to disable hotlinking, but activating it somehow messes up the display of my pages.

Looking back at .htaccess now I remember the problem: it's the same as with the referer: the http_referer value seems to be lost after the javascript popup, so the scripts that actually display the photos will also be prevented from accessing the folder...

Alright, if it helps anybody, it seems I have found why the path is revealed when the photo is loaded from the cache.

Looks like I was doing the header thing wrong.

I had:

header("Location: file.jpg");

And I should have had instead:
header("Content-type:image/jpeg");
readfile("file.jpg");

That solves the little loophole I had where somebody could still find the path. I think.

Now back to how I can prevent that display.php script from being called directly and this way prevent hotlinking.

David.

If this is just for pop-up windows...check the HTTP_REFERRER to see if it's your site (regexp).

Any idea how I might modify this code for an Adobe Flash Shockwave (.swf) file? I am converting all jpg's to swf's to make it a little more difficult for leeches to steal them...