Jumpy09 Posted June 16, 2011 Share Posted June 16, 2011 Okay so a few months ago I coded up a nice system to get images to display from outside the public directory to prevent direct access to any photos on my Server. The system works good, but I am trying to upgrade some of the security features to prevent direct access to images and only allow the images to be displayed through the <img> tags. So I query the Database and get all the information I need to display an image: The username, the image name, and the file extension. Hash these values with some salt in sha256, and place the information in an Image tag. <img src="displayImage.php?id=5&name=h4g3h3h3gd8d7dhwei&ext=png&hash=>>hashvalue<<" alt="QuoteofImage"> Now the file gets called, the header gets modified to make it read the file and display as an Image. It works great, but I am afraid you will be able to put the url in the Database and defeat the purpose of Private Folders, or Folder Permissions. So I want to prevent access through the url, but still allow it to be placed in the <img> tags. I was thinking about .htaccess to prevent access from anything except localhost, but I have a feeling the file is getting called by the client and not the server. Any suggestions? Quote Link to comment https://forums.phpfreaks.com/topic/239549-images-display-via-php-prevent-direct-access/ Share on other sites More sharing options...
redixx Posted June 16, 2011 Share Posted June 16, 2011 http://www.htaccesstools.com/hotlink-protection/ Quote Link to comment https://forums.phpfreaks.com/topic/239549-images-display-via-php-prevent-direct-access/#findComment-1230524 Share on other sites More sharing options...
Jumpy09 Posted June 16, 2011 Author Share Posted June 16, 2011 I had considered Hotlink Protection, but it is pretty much for a particular file type. Since I am creating the images via the .php file I have no idea how to hotlink protect a specific file. And yes, I did do a Google Search. They have a lot of good advice, but nothing on how to hotlink protect a specific file. Quote Link to comment https://forums.phpfreaks.com/topic/239549-images-display-via-php-prevent-direct-access/#findComment-1230537 Share on other sites More sharing options...
redixx Posted June 16, 2011 Share Posted June 16, 2011 I believe you can use regex in the .htaccess for the hotlink protection, so it can be more complex than just a filename identifier. However, I am not particularly good with .htaccess so I will let someone else jump in. Quote Link to comment https://forums.phpfreaks.com/topic/239549-images-display-via-php-prevent-direct-access/#findComment-1230538 Share on other sites More sharing options...
PFMaBiSmAd Posted June 16, 2011 Share Posted June 16, 2011 I have a feeling the file is getting called by the client and not the server ^^^ That's correct. The browser requests all the media files on a web page. When you output an <img src="" alt=""> HTML tag as part of a web page, it is the browser that makes a http request for the URL that is in the src="" attribute. There is no difference between that http request and someone putting that URL into their browser's address bar. If you want to secure the files being output, read the post at the following link (replace references to 'download' with 'image') - http://www.phpfreaks.com/forums/index.php?topic=336239.msg1583846#msg1583846 In addition to the information in that post, you can also set a session variable on your main page and then have the code that dynamically outputs the image test if that session variable is set and has the expected value. This would at least mean that someone (or a bot script) requested your main page before requesting the image. P.S. Hotlink protection that tests HTTP_REFERER is easily bypassed and in fact most web proxy scripts set HTTP_REFERER to match the URL being requested. Quote Link to comment https://forums.phpfreaks.com/topic/239549-images-display-via-php-prevent-direct-access/#findComment-1230558 Share on other sites More sharing options...
Jumpy09 Posted June 16, 2011 Author Share Posted June 16, 2011 PFMaBiSmAd I read that post and the first thing that popped into my head was "Oh great, a db hit per image displayed!", but then I read the rest of your post on here and the Session Variable is actually a pretty good idea. It is only set by the server, and I could go even further and set up the permissions and such in the session which will even further protect images from being seen. The best part is it is so simple to set up, and use and you never trust the client. Now just to figure out how I want to get it set up and figure out the best way to implement it on a per user basis, having different access levels and restrictions. Thanks a ton! P.S. Hotlink protection that tests HTTP_REFERER is easily bypassed and in fact most web proxy scripts set HTTP_REFERER to match the URL being requested. Exactly! I know enough to know never trust the client, so I was wanting a method that didn't require trusting the client and you definitely came through. Made my day. Quote Link to comment https://forums.phpfreaks.com/topic/239549-images-display-via-php-prevent-direct-access/#findComment-1230571 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.