Jump to content

Prevent direct image loading?


acctman

Recommended Posts

Hi is there a way to prevent a user from copy and pasting an image link and loading it directly? I use created a php script to load images and control who's able to see the images. I'd like for this too happen: when a user clicks an image link on an html or php page on domain.com it should load. but if the user goes into the source and grabs the actual link and paste it into there web browser it should not load.

 

file link example: /files/pvtexp.php?mid=135789&iid=296946&idat=2007/10&sec=3

Link to comment
Share on other sites

You can look at the REFERER and if isn't coming from your domain echo nothing, or echo a image that say 'image stolen'.

 

For many users it will work, however the REFERER is given by the browser and can be easly cheated. That don't prevent user from saving them and use them on their own server, but that can save you some bandwidth.

 

This should work :

if (@strcmp($_SERVER['HTTP_REFERER'], "http://www.mysite.com/") != 0) die();

Link to comment
Share on other sites

There is no difference between a link on web page and an address placed into a browser address bar (or a script requesting the URL.) They all cause a http request to be made for the file and it is the web server's duty to serve up the requested file. This is how the whole Internet works. So, no, you cannot tell the difference between someone clicking on a link on your page and someone being on your page, viewing the source and copy/pasting that link to the address bar. You can tell if someone is requesting a file without having visited your page first.

 

As long as the URL of the file will cause that file to be severed by the server, it does not matter how that http request is produced (link on a page, browser address bar, bot script, request relayed through a web proxy server...) A http request is a http request. HTTP_REFERER can also be set to anything at any time, so bot scripts and web proxy scripts can set it to your domain so that any request for a URL can look like it came from someone already viewing pages on your site.

 

What exactly are you trying to accomplish? Does someone need to fill out a form or be a logged in member on your site before the file should be served by the web server? Are you trying to stop hot linking by other sites putting a URL to your file on their pages?

Link to comment
Share on other sites

There is no difference between a link on web page and an address placed into a browser address bar (or a script requesting the URL.) They all cause a http request to be made for the file and it is the web server's duty to serve up the requested file. This is how the whole Internet works.

 

As long as the URL of the file will cause that file to be severed by the server, it does not matter how that http request is produced (link on a page, browser address bar, bot script, request relayed through a web proxy server...) A http request is a http request. HTTP_REFERER can also be set to anything at any time, so bot scripts and web proxy scripts can set it to your domain so that any request for a URL can look like it came from someone already viewing pages on your site.

 

What exactly are you trying to accomplish? Does someone need to fill out a form or be a logged in member on your site before the file should be served by the web server? Are you trying to stop hot linking by other sites putting a URL to your file on their pages?

 

right now all my images load perfectly on the site and in the galleries. i just want to stop users from loading the links outside of the gallery by itself. giving it some thought, I'm thinking the only way to do this would be to restrict pvtexp.php load in the webroot.

 

right now the image php loading file pvtexp.php is in home/site/www/files/pvtexp.php which can be accessed directly by anyone's web browser with the correct $_get parameters. no if i was to put the pvtexp.php file at home/site/files/pvtexp.php (behind the webroot) only the php gallery script serving the file can access the pvtexp.php there user would have no way to manual input a url to pull images.

 

So basically i want to stop a user from inputing: http://www.site.com/files/pvtexp.php?.... and see and image, and limit them to having to go to http://www.site.com/gallery/user/ to see the image.

 

can that be accomplished without moving the file behind the webroot, that would save a lot of time recoding links in various scripts on mysite

Link to comment
Share on other sites

When ever you have an <img> tag, all it does it make a request to the server, render the content it receives and then cram it into a box.

 

So essentially the image has to be in the webroot for it to show up in an img tag.

 

 

Your two best options are either sessions or referer checking.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.