Hide image location

[acctman]

 

Is this method possible? I want to display the image without giving up the actually image location ( http://snipplr.com/view/5041/hide-image-path/ )

<?php
$query="SELECT filename FROM database where id=$file";
$result=mysql_query($query) or die ("Error: ".mysql_error()); 
$row=mysql_fetch_row($result);  

header('Content-type: image/jpeg'); 
readfile($row[0]);  ?>

 

my current code that displays where the actual image location, i'd like to hide the img location

<?php
$theuser = mysql_fetch_array(mysql_query("SELECT `m_id`,`m_date` FROM `rate_members` WHERE `m_user` = '".$en['mm_user']."'"));
$result = mysql_query("SELECT `i_id`, `i_name` FROM `rate_pictures` WHERE `i_user` = '".$theuser['m_id']."' AND `i_status` >= '1' AND `i_private` = '0' ORDER BY `i_time` DESC");

while($row = mysql_fetch_array($result)) {
    echo "<li><a href='http://img.com/".date("Y/m", $theuser['m_date'])."/".$theuser['m_id']."/imgPub/".$theuser['m_id']."-".$row['i_id'].".jpg'" . " original='http://img.com/".date("Y/m", $theuser['m_date'])."/".$theuser['m_id']."/imgPub/".$theuser['m_id']."-".$row['i_id'].".jpg'" . " description='".$row['i_name']."'>" . " <img height=80 width=80 src='http://img.com/".date("Y/m", $theuser['m_date'])."/".$theuser['m_id']."/imgPub/imgTmb/".$theuser['m_id']."-".$row['i_id'].".jpg' /></a></li>\n";
}
?>

 

 

[funkyres]

The browser has to have some kind of url from which to request the image.

You can run a php wrapper and keep the actual image file completely outside the web root - and control access to the image from the wrapper, but there has to be some kind of url that the web browser will use to request the image.

 

A fairly common tactic is to require session authentication in the php wrapper before the wrapper sends the actual image.

 

You can use something like mod_rewrite so that the wrapper has the proper image extension and the user is none the wiser.

 

This is something I came up for hotlinks -

<?php
// wrapper script to check if the requesting host is authorized to serve image.
ini_set("include_path", "/srv/mydomain/phpinclude");
include('_db_connect.inc.php');

$IMG_PATH="/srv/mydomain/images/nonherp";

function check_hotlink($http,$size) {
   $http=strtolower($http);
   if ( strcmp($size,'sm') == 0 ) {
      $sql="SELECT hostname FROM hotlink WHERE small='1'";
      }
   if ( strcmp($size,'ds') == 0 ) {
      $sql="SELECT hostname FROM hotlink WHERE small='1'";
      }
   if ( strcmp($size,'md') == 0 ) {
      $sql="SELECT hostname FROM hotlink WHERE medium='1'";
      }
   if ( strcmp($size,'lg') == 0 ) {
      $sql="SELECT hostname FROM hotlink WHERE large='1'";
      }
   $result=mysql_query($sql);
   while ($somevar = mysql_fetch_row($result)) {
      $hotlinkok[]=$somevar[0];
      }
   $allowed=0;
   $num=count($hotlinkok);
   $i=0;
   while ( $i < $num ) {
      $foo=strlen($hotlinkok[$i]);
      $check=substr($http,-$foo);
//      $sql="INSERT INTO foolog (message) VALUES ('$check')";
//$result=mysql_query($sql);
      if ( strcmp($check,$hotlinkok[$i]) == 0 ) {
         $allowed=1;
         }
      $i++ ;
      } // end while loop
   return($allowed);
   } // end of function
function sendimage($impath) {
// requires fedora rpm : php-pecl-Fileinfo
  $fi = new finfo(FILEINFO_MIME);
  $mime_type = $fi->buffer(file_get_contents($impath));
  $imageOutput = "";
  if ($fp = fopen( $impath , 'rb' )) {
    while ($l = fgets($fp)) {
      $imageOutput .= $l;
      }
    $outputLen = strlen($imageOutput);
    header("Content-Length: $outputLen");
    header("Content-type: $mime_type");
    print $imageOutput;
    } else {
    // for whatever reason we failed
    die();
    }
    // output image filesize size ??
  }

$thispage=mysql_real_escape_string($_SERVER['REQUEST_URI']);
$thisarray=explode("/",$thispage);
$n=(sizeof($thisarray) - 1);
$foo=$thisarray[$n];
if ( strcmp($foo,'nonherp.php') == 0 ) {
   die();
   }

$dumb = @$_SERVER['HTTP_REFERER'];
if ( strlen($dumb) > 0 ) {
   $http = parse_url($dumb, PHP_URL_HOST);
   } else {
   // be nice and serve it - for now ...
   $http = 'mydomain.org';
   }

//$sql="INSERT INTO foolog (message) VALUES ('$http')";
//$result=mysql_query($sql);
if ( check_hotlink($http,"lg") == 0 ) {
   // failed hotlink test
   $fullpath = $IMG_PATH . "/hotlink/hotlink_lg.jpg";
   } else {
   // OK to serve it
   $fullpath = $IMG_PATH . "/" . $foo;
   }
   sendimage($fullpath);
//   print($fullpath);
?>

 

The file is called nonherp.php

Please excuse the code - it has some stuff in it not needed (IE a bunch of options in the check_hotlink function) as I borrowed from another script I wrote for different type of image handling, and it could use some cleanup, but it works.

 

Here is the mod_rewrite rule -

 

RewriteRule ^[0-9A-Za-z-_]+\.jpg$ nonherp.php [L]
RewriteRule ^[0-9A-Za-z-_]+\.png$ nonherp.php [L]
RewriteRule ^[0-9A-Za-z-_]+\.gif$ nonherp.php [L]

 

So - I thow someimage.png into my images directory that is NOT in the webroot, and /images/someimage.png is (via mod_rewrite) handled by nonherp.php. If it is hotlink from domain I did not allow, a different image gets served.

[funkyres]

Note that /srv/mydomain/images/nonherp is NOT in my webroot (my webroot is /srv/mydomain/www) so it is impossible to get the images via http w/o going through the php wrapper.