i have a site that works much like classifieds ads. users can post ads and images.

i would like to set the site up so that visitors can only view images on the site in my php pages. in other words, i want to prevent any user from accessing an image directly by its URL.

I'm guessing that half of this problem is putting the images OUTSIDE of the public_html folder. the other half would be to create a php file that only feeds up the files to authorized viewers.

so maybe two files:
==classifed.php==

<?
echo $ad_description . "<br>";
echo "<img src=\"image_feeder.php?image_id=" . $image_id . "\">";
?>

==/classifed.php==

==image_feeder.php==

<?
// determine if request is valid here?
// deny access to direct access that don't come from my php page
define('IMAGE_PATH', '/home/foo/bar/images/');

$sql = "SELECT image_filename FROM images WHERE id=" . $_GET['image_id'];
$result = mysql_query($sql)
  or readfile('images/not_found.gif');
$row = mysql_fetch_assoc($result)
  or readfile('images/not_found.gif');
readfile(IMAGE_PATH . $row['image_filename']);
?>

==/image_feeder.php==

NOTE: I do NOT want to force users to login to see images. I just want to force them to view the images in my page.

awesome

looks pretty easy. i'm sort of familiar with .HTACCESS in a passing way. can anyone tell me more specifically what this is doing?

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^{http://(www.)?mydomain.com/.*$} [NC]
RewriteRule .(gif|jpg|js|css)$ - [F]

so i've created that .htaccess file on my server. i noticed that pasting the URL directly into a browser i can still see it.

try it yourself:
http://www.adfotos.com/layout/sample_thumbs/Wheel_SOLD.gif

i also made this file on my hard drive and it displayed it as well:

<html>
<img src="http://www.adfotos.com/layout/sample_thumbs/Wheel_SOLD.gif">
</html>

the .htaccess file is working though. i'm just wondering what will be shown if someone sends spam mail linking to this image.