Getting requester of script

mbhcool

I'm writing an image protection script to pass image arguments to it.
It should check whether the requester is my server or not.

Here's the problem :: I cant get the script to identify who's requesting
the image! I looked into other similar scripts (image protection & anti-leech)
they all use getenv("HTTP_REFERER"), which doesnt work in my case (results in an empty string)

My current setting (SERVER_NAME) always results in my own server name, which always shows the pic
other settings get the requester but even when I request the image from a page in my website
it shows the stolen pic!

any suggestions?!

Here's my code ::

<?php
/
PHP Image Protecter V1.5.060804 by MBH -> www.MBHbox.net
/

$myDomains=array("MBHBOXSERVER","mbhboxserver","mbhbox.net","localhost");
$stolenPic="http://www.mbhbox.net/images/stolen.gif";
$protectedDir="/SERVER/images/";

//$ref=$SERVER['HTTP_HOST'];//resolves website name
$ref=$SERVER['SERVER_NAME'];//results the name of the server machine
//$ref=gethostbyaddr('');//results the name of the server machine
//$ref=gethostbyaddr(getenv("REMOTE_ADDR"));//results the name of the requester
//$ref=getenv("HTTP_REFERER");

$VersioN="1.5.060804";

if ($version=="check") {
print Header("Location: http://www.mbhbox.net/cgi-bin/pip/lastVersion.php");
die('See <a href=http://www.mbhbox.net/cgi-bin/pip/lastVersion.txt>[url]http://www.mbhbox.net/cgi-bin/image/lastVersion.php[/url]</a>');
}

if ($img=="") die('no image defined');
if ($ext=="") die('no extension defined');
$isValid=false;
$name=$protectedDir.$img.".".$ext;
$fp = fopen($name, 'rb');

for ($i=0;$i<count($myDomains);$i++) {
if ($ref==$myDomains[$i]) {
$isValid=true;
}
}

if ($isValid==false) {
print Header("Location: $stolenPic");
die("<b>stolen picture!</b>");
}

header("Content-Type: image/$ext");
header("Content-Length: ".filesize($name));
fpassthru($fp);
exit();
?>

drawmack

on your main page set a session variable. have the image script check for existence of this session variable before it hands out your image.

mbhcool

How do I set a session variable for the server? aren't session vars meant to be for client side?

Could show me a code for that please?

Thanks

Weedpacket

Store the image outside the web document tree. Then only the server can retrieve it.

mbhcool

Yea, I thought of that too. But if you do :: <img src="c:\images"> the image has to be in the client side in the same location...

The script I wrote will always display the image, and I can use it do so (which what I'm doing currently) but still, if an external link exist, it's not detected.

Perhaps if I use virtual paths? I'll try and post back

But can't you tell me what the script doesn't work? why HTTP_REFERER is always an empty string?

Weedpacket

Originally posted by mbhcool
Yea, I thought of that too. But if you do :: <img src="c:\images"> the image has to be in the client side in the same location...

There is no law that says that URLs have to map one-to-one onto files; in fact, they're explicitly not the same thing.

Instead of providing a URL directly to the image file, provide one to a script. The script checks the request is from a valid source and - if the request is valid, the script fetches the image file and sends its contents to the client. (drawmack's suggestion applies here - I recall he wrote some code for the task in the Coding Critique forum)

But can't you tell me what the script doesn't work? why HTTP_REFERER is always an empty string?

Could be server configuration (getenv() doesn't work with PHP running as ISAPI - try $_SERVER['HTTP_REFERER']) - could be something to do with your client; HTTP_REFERER cannot really be trusted anyway, since it does come from the client - and the client is under no obligation to be honest or even helpful.

mbhcool

I have tryed $_SERVER['HTTP_REFERER'] along side with $HTTP_REFERER (I have globals on) ...

Instead of providing a URL directly to the image file, provide one to a script ...

That's the whole idea of the script I've written (code provided previously), but thanks to you, now I know that HTTP_REFERER isn't safe! which also brings me back to square 0, again!

There is no law that says that URLs have to map one-to-one onto files; in fact, they're explicitly not the same thing.

A little test page is here -> http://www.mbhbox.net/test.html, the images folder is already out of server scope, but since HTML is bounded to the server folder, it can't access the images folder outside the scope (unless I use virtual paths, which seems pointless).

If that wasn't your point, please correct me, and if it was but I misunderstood it, correct me too.

I'll look up the code the in the Coding Critique forum regarding the session variable, although I still have no idea what he meant.

Thanks for your time