Images Display via PHP / Prevent Direct Access

[Jumpy09]

Okay so a few months ago I coded up a nice system to get images to display from outside the public directory to prevent direct access to any photos on my Server.  The system works good, but I am trying to upgrade some of the security features to prevent direct access to images and only allow the images to be displayed through the <img> tags.

 

So I query the Database and get all the information I need to display an image:  The username, the image name, and the file extension.  Hash these values with some salt in sha256, and place the information in an Image tag.

 

   <img src="displayImage.php?id=5&name=h4g3h3h3gd8d7dhwei&ext=png&hash=>>hashvalue<<" alt="QuoteofImage">

 

Now the file gets called, the header gets modified to make it read the file and display as an Image.

 

It works great, but I am afraid you will be able to put the url in the Database and defeat the purpose of Private Folders, or Folder Permissions.  So I want to prevent access through the url, but still allow it to be placed in the <img> tags.

 

I was thinking about .htaccess to prevent access from anything except localhost, but I have a feeling the file is getting called by the client and not the server.  Any suggestions?

[redixx]

http://www.htaccesstools.com/hotlink-protection/

[Jumpy09]

I had considered Hotlink Protection, but it is pretty much for a particular file type.  Since I am creating the images via the .php file I have no idea how to hotlink protect a specific file.  And yes, I did do a Google Search.  They have a lot of good advice, but nothing on how to hotlink protect a specific file.

[redixx]

I believe you can use regex in the .htaccess for the hotlink protection, so it can be more complex than just a filename identifier.

 

However, I am not particularly good with .htaccess so I will let someone else jump in.

[PFMaBiSmAd]

I have a feeling the file is getting called by the client and not the server

 

^^^ That's correct. The browser requests all the media files on a web page.

 

When you output an <img src="" alt=""> HTML tag as part of a web page, it is the browser that makes a http request for the URL that is in the src="" attribute.

 

There is no difference between that http request and someone putting that URL into their browser's address bar.

 

If you want to secure the files being output, read the post at the following link (replace references to 'download' with 'image') - http://www.phpfreaks.com/forums/index.php?topic=336239.msg1583846#msg1583846

 

In addition to the information in that post, you can also set a session variable on your main page and then have the code that dynamically outputs the image test if that session variable is set and has the expected value. This would at least mean that someone (or a bot script) requested your main page before requesting the image.

 

P.S. Hotlink protection that tests HTTP_REFERER is easily bypassed and in fact most web proxy scripts set HTTP_REFERER to match the URL being requested.

[Jumpy09]

PFMaBiSmAd I read that post and the first thing that popped into my head was "Oh great, a db hit per image displayed!", but then I read the rest of your post on here and the Session Variable is actually a pretty good idea.  It is only set by the server, and I could go even further and set up the permissions and such in the session which will even further protect images from being seen.

 

The best part is it is so simple to set up, and use and you never trust the client.

 

Now just to figure out how I want to get it set up and figure out the best way to implement it on a per user basis, having different access levels and restrictions.  Thanks a ton!

 

P.S. Hotlink protection that tests HTTP_REFERER is easily bypassed and in fact most web proxy scripts set HTTP_REFERER to match the URL being requested.

 

Exactly!  I know enough to know never trust the client, so I was wanting a method that didn't require trusting the client and you definitely came through.    Made my day.