Jump to content


Photo

protecting files/folders


  • Please log in to reply
23 replies to this topic

#1 bltesar

bltesar
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 09 August 2006 - 12:01 AM

I have a site that allows access to registered users only with authentication via PHP/MySQl.  It works just fine, and only authorized users can access the site beyond the login page; however, anyone can easily access images on the site, provided they know the names of the images, by navigating to the address of the images. 

How can I protect the images on this site from public access?

#2 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 09 August 2006 - 12:06 AM

Put this in the image folder ok.


index.php

<?php
header("location: index.php");
?>

Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#3 bltesar

bltesar
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 09 August 2006 - 12:13 AM

Yes, but what if someone guesses the name of one of my images, which is actually a realistic possibility. 

The website I created is for a real estate company.  Some of the photos are displayed on the public website, others are not.  The photos are all named in the same way, e.g. floorplan_00023, so anyone could try different versions of that and access all the photos. 

I could just put all the private photos in a password protected folder, but there are other situations in which this will not do.  Unless of course, there was a way to have the authentication done via PHP.

#4 ToonMariner

ToonMariner
  • Members
  • PipPipPip
  • Advanced Member
  • 3,342 posts
  • LocationNewcastle upon Tyne, UK

Posted 09 August 2006 - 12:14 AM

I have seen a post on this a long time ago.....

The only thing I can think of is to store images in your database - that way they can olny be called from a script and you can control which script may call them....

But there is surely an easier way.
follow me on twitter @PHPsycho

#5 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 09 August 2006 - 12:26 AM

put the
protection directives from the above FAQ inside of a FilesMatch
container like so:

<FilesMatch "secret.html$">
  AuthType Basic
  AuthName "Some Description"
  AuthUserFile /full/path/to/passwdfile
  Require valid-user 
</FilesMatch>

The match pattern is a regular expression, so it can be used to match
more than 1 file: <FilesMatch "(private|secret).html$">. That would
protect private.html and secret.html an no other files.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#6 ToonMariner

ToonMariner
  • Members
  • PipPipPip
  • Advanced Member
  • 3,342 posts
  • LocationNewcastle upon Tyne, UK

Posted 09 August 2006 - 12:30 AM

red did you actually read his first post? ;)
follow me on twitter @PHPsycho

#7 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 09 August 2006 - 12:41 AM

yes i did sorry.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#8 hostfreak

hostfreak
  • Members
  • PipPipPip
  • Advanced Member
  • 581 posts

Posted 09 August 2006 - 12:46 AM

How about password protecting the directory?

#9 bltesar

bltesar
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 09 August 2006 - 12:50 AM

Yes, I can password protect the directory, but I want to be able to authenticate users via PHP.  I don't want to have to go to my hosting utilities and add information for each username/password. 

I want to use a single username/password and have PHP do the authentication for users that have already been authenticated via PHP?MySQL.  Put another way, once users have logged into my site, I don't want them to again have to enter a username and password for the folder password protection.

#10 bltesar

bltesar
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 09 August 2006 - 06:53 PM

bump

#11 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 09 August 2006 - 07:04 PM

I dont understand what are you aking for.
Create a register/login etc' pages, then on each page (that is allowed only for users) check if the session var containing the username is set. If he has it (means- he's logged in)- continue. Else- redirect to login page and ask him to log in.

Orio.
Think you're smarty?

(Gone until 20 to November)

#12 akitchin

akitchin
  • Staff Alumni
  • Advanced Member
  • 2,516 posts
  • LocationCalgary, AB, Canada

Posted 09 August 2006 - 08:29 PM

two ways of doing this.  first of all, any directory above your root is protected and inaccessible to web users.  they will show up as images because the server has access to the directory, but regular web users cannot directly hard-link to the images (how do you link to www.site.com/../image.jpg ?)  putting your images above the web root is therefore one way of protecting them from name-guessing.

second, you can use a PHP file as the source.  it may be a little slower, i've done no performance checks.  simply write a PHP file that takes the image source as a URL parameter (ie. $_GET['image'] or something similar), opens the image, grabs its content, and spits it out.  if used in an image tag as the source like so:

<img src="grabImage.php?image=stuff.jpg" />

the output will be the image.  however, accessing grabImage.php?image=stuff.jpg directly simply outputs the image's JPEG data onto the screen rather than its visual translation.

for reference, getImage.php would look something like this:

<?php

$source = 'images/'.$_GET['image'];

$handle = fopen($source, "r");
$output = fread($handle, filesize($source));
fclose($handle);

echo $output;

?>

despite the source giving away the name of the image itself, there are a few ways of stopping this from giving it all away; you can place them into a directory and manually prepend that to the filename (as i've done here), or you can use some sort of array=>filename and send the index rather than the filename like so:

<?php
$files = array
(
  'top' => 'header.jpg'
);

$source = $files["{$_GET['image']}"];
?>

<img src="getImage.php?image=top" />

the first method is easiest and less tedious, as the second method requires that you explicitly make an array item for every image you want to protect this way.

#13 bltesar

bltesar
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 09 August 2006 - 08:39 PM

thank you!

putting the images above the root directory seems the best approach.  I'll try it out.

But another related question.

If I have a file or folder password protected on the server, i.e. via my web hosting utility, is there any way that I can authorize a user via PHP rather than have the username/password box popup?

#14 akitchin

akitchin
  • Staff Alumni
  • Advanced Member
  • 2,516 posts
  • LocationCalgary, AB, Canada

Posted 09 August 2006 - 08:43 PM

if you manually add the PHP protection and remove the basic HTTP authentication, then yes.  otherwise, no - basic HTTP authentication operates on the webserver level and is always used with the username/password box as far as i know.

#15 cmgmyr

cmgmyr
  • Members
  • PipPipPip
  • Advanced Member
  • 1,278 posts
  • LocationUSA

Posted 09 August 2006 - 08:46 PM

I think what you sould do (and what I do) is have an htaccess file in your images directory that doesn't show any files at all...so it doesn't really matter if people can see the directory or not.

As for your images...Make them random file names so when you upload house1.jpg it turns into cabd83r3d9.jpg (or whatever) then it will be pretty much impossible for people to guess what your file names are.

Hope this helps,
-Chris

#16 bltesar

bltesar
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 09 August 2006 - 09:03 PM

what about the $_SERVER variables PHP_AUTH_USR, etc.?  Are these not used for server authentication?

#17 hostfreak

hostfreak
  • Members
  • PipPipPip
  • Advanced Member
  • 581 posts

Posted 10 August 2006 - 12:02 AM

Well, I password protected a directory through cpanel and I can access the files through my script , but if I were to try to directly access the files it will prompt for the password. Works out good.

#18 bltesar

bltesar
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 10 August 2006 - 01:08 AM

thanks everyone for your help, but, unfortunately, it isn't working for images.

if I put php files above the root directory or in a password protected folder, they can be executed from another directory using include() without being prompted for user/pass, just as hostfreak said and akitchin suggested.  But this approach does not work for images, whose source is defined within the HTML.

#19 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 10 August 2006 - 02:07 AM

http://www.clockwatc...ess_images.html should do the trick... The only problem with
<?php

$source = 'images/'.$_GET['image'];

$handle = fopen($source, "r");
$output = fread($handle, filesize($source));
fclose($handle);

echo $output;

?>
is that if someone knows its http://yoururl.com/i...e=Smith_Street1 they can just link to that... You could always just add some script to that so that it will only display it from yourdomain, but in my opinion htaccess is an easier approach...
Why doesn't anyone ever say hi, hey, or whad up world?

#20 bltesar

bltesar
  • Members
  • PipPipPip
  • Advanced Member
  • 109 posts

Posted 10 August 2006 - 02:38 AM

thanks very much for that link.  I did not know anything about .htaccess files.  Quite useful.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users