Jump to content
MacroCurse

Denying access to folder of website except thru a specific php file

Recommended Posts

Hello first time poster here .

Soni have been in the proccess of designing a website that would give images to users . But only owner of an image will get thier own image .

And some people may not access thier image whom are invalid untill i make them valid users.

Si.my problem is i want to stop people from accessing these images by typing thier mysite.com/path and these files only be accessable via a php that is in my website .

How do i go about doing that .

Is it iam my new to this or there is not a convenient way to do this .

Thanks in advance

Share this post


Link to post
Share on other sites

I'm not sure about the "giving" images thing, but

If you don't want someone to access a file directly then you don't make it a file they can access directly. Put the image files somewhere not accessible by typing in a URL (meaning they don't go in your public_html or www or whatever directory where your website files go), then create a PHP script that shows the image instead - but only after it runs some other code to make sure it actually should display the image.

Basically,

<?php

// include your common header file or session_start or whatever

// figure out what image was requested
// ex: /script.php?image=whatever.jpg then $_GET["image"]
$image = $_GET["image"];

// look up whether the user can see the image
// if they can't then show a "not allowed" image instead (or maybe do something else)
if (!$user_can_see_image) {
  $image = "notallowed.jpg";
}

$file = "/path/to/your/images/" . $image;

// output the image
header("Content-Type: image/jpeg"); // this changes for different types of images!
header("Content-Length: " . filesize($file));
readfile($file);

After that's in place you can worry about things like making the URL look prettier (maybe /image/whatever.jpg) or enabling caching to save you bandwidth.

  • Thanks 1

Share this post


Link to post
Share on other sites

Thank you for the replay.

Newbie here going to ask again i thinkni should gove more details.

Firstly i cant place those said files outside of public folder since for the time being iam on a free host.

Second i have already filtered wether user is valid to get image after loging in.

Both of above filters coming from sql database then after if user is valid insearch for all images that belong to the user which is thier login username-n.jpg and can echo the images fine .

However i want to a. Redirect all access to the images except a refer from the php that echos out the images (not preferd)

Or b. Password protect the folder and send out images with script back to the php file which echos the images(would love to do it this way)

Now my question is can i send the image names back to fetcherscript.php soni dont do all that proccess over there or i have to.

Thanks in advance

Share this post


Link to post
Share on other sites

Can you use .htaccess files? Or does the host provide a way to do URL rewriting?

Share this post


Link to post
Share on other sites
Posted (edited)

Thank you for the replay yes i can .

I have done the script to send images back to my pagethatechosimages.php

However once in restrict access to the protected folder with htaccess it does not want to work.

I have done same thing with the database connection php restrict all access to it and include_once which works fine.

But for the script that sends images it does not work when i use htaccess on that folder but works fine other way.

Another detail is the database conn php and the page which echos images are in same directory but the script that sends images is in diffrent directory .

I have tested require and include but non works . And i have placed correct path too in require/include eg '../example/script.php'

 

Edit. Well by it does not want to work it downloads the page the echos images lmao.

Iam really new to this sorry

Edited by MacroCurse

Share this post


Link to post
Share on other sites

It's time for some real details. What is the URL to the images (the ones that will be in a password-protected directory) and to the script for outputting the images? What is the code for that script? Where are the include files and whatever that you need to use in that script?

Share this post


Link to post
Share on other sites

Alright here is all the details you asked about if i missed something please let me know 

1 - what is the URL to the mages : from the php file that echos images its like so ../images/(4 sub folders here) and the password protection should start from /images

2 - the script that would fetch the images and send them into page that prints images (from now i will call echo print in this thread) is located inside the /images folder

3 - code for fetcher php which sends the images back to the printing page 

-----------------------------------------

<?php

//start session to check if user typed url

session_start();

if (!isset($_SESSION['Confidental'])) {

header("LOCATION: ../index.php?error=testnumber34");

exit();

}else{

$img = $_SESSION["Confidental2"];

$image = $_GET["image"];

$file = "subfolderinsideimagesfolder/" . $img;

header('Content-Type: image/jpg');

header("Content-Length: " . filesize($file));

readfile($file);

unset($file);

  } ?>

--------------------------

4 - the code for outputing(printing the images)

-------------------------

foreach ($imgs as $img) {

//placed here 

$_SESSION["Confidental2"] = $img;

echo '<img class= "resimg" src="../lmages/fetcher.php/"> <br> <br>';

//placed here too

}

its inside a loop because i want to know how many images this user has and print all their images (no worries about this this part works as i want it to)

however here is another issue the $_SESSION["Confidental2"] is how i tell the fethcer.php which image to print but for some reason it just out puts only one of them

even tho i have tried UNSET function in the foreach loop (placed in the //coment areas and tested but no luck PS: 1 at a time not both together)

Share this post


Link to post
Share on other sites
Just now, MacroCurse said:

foreach ($imgs as $img)

this $imgs is done via preg_grep(which works as i want it to)

Share this post


Link to post
Share on other sites

The session is not a magical place where you can store whatever you want and get it back from anywhere else. Do not use it as a way to transfer data from one script to the next. Do use it to share data across the entire website.

Does the image name need to be shared across the entire website? No. It needs to be transferred from whatever original script to fetcher.php. And to transfer data like that you need to use query strings, as in

$query = http_build_query(["image" => $img]);
echo '<img class="resimg" src="../Images/fetcher.php?', $query, '"><br><br>';

Then fetcher.php grabs the image name from $_GET. Which it almost does now, except it completely ignores that value and goes with the one in $_SESSION instead.

Anyone can see that URL and anyone can change it to be whatever they want. To address that, fetcher.php should get the basename of the image, then look to see if that file exists in the subfolder.
For the Content-Type, I specifically said that the value changes for different images. Here is a list.

Share this post


Link to post
Share on other sites

thank you , but i take it you know iam new to php .

and nor can i make anything out of the code you did above nor can i find anything on the piece of code

this is the main php side what about the fetcher side what do i change thier aside from removing the session

and this is in the end not the main issue i want to know if there is any way i can protect my images folder from outsiders and only accessable from one php page or only from local(host server) 

Share this post


Link to post
Share on other sites
On 7/22/2020 at 1:57 PM, MacroCurse said:

and nor can i make anything out of the code you did above nor can i find anything on the piece of code

Now is a good time to learn.

 

On 7/22/2020 at 1:57 PM, MacroCurse said:

this is the main php side what about the fetcher side what do i change thier aside from removing the session

You do what I said: forget the $_SESSION and use $_GET instead, like it's almost doing now.
But to use $_GET you'll have to make sure there actually is a value there in the query string for it to read from. The code I posted is most of the work - all you have to do is figure out what variables it should use.

 

On 7/22/2020 at 1:57 PM, MacroCurse said:

and this is in the end not the main issue i want to know if there is any way i can protect my images folder from outsiders and only accessable from one php page or only from local(host server) 

Didn't you already say you were going to password-protect it?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.