Direct Image link a NO NO!

[dennismonsewicz]

I have a download script that allows users to download stock photography off of my site. Well If someone has a direct link to the image then they can download the image. Is there a way to stop the direct link?

[BlueSkyIS]

i would hide the actual image name via database key or code, then send the image to the browser, not link directly to it. that way you can also ensure the user is logged on to have access.

 

another alternative: use .htaccess to control what users have access to files in particular places.

[dennismonsewicz]

Hmmmm, well storing the image in a DB is a no no, cause you don't want to insert binary data into the db. So how would i achieve inserting the key or code in to a db?

 

And I, sadly this is true, do not have .htaccess running cause we have an IIS server I KNOW I KNOW it is very sad

[jkewlo]

whats wrong with storing binary data into the database?

 

OLE object or a BLOB

 

im doing it. and have no problems

[BlueSkyIS]

when you store an image, you store the image name and that table should have a unique id primary key. your table may look like...

 

Images

id - int, primary_key, autoincrement

image_name - varchar(64)

 

so give the id of the image, you can get the name. in code, use the id to get the image, then send the image to the browser. by the time the visitor gets to this place, you have already verified that they have permission to view the image.

[BlueSkyIS]

whats wrong with storing binary data into the database?

 

OLE object or a BLOB

 

im doing it. and have no problems

 

yet. i hope your database doesn't ever crash or get even minimally damaged.

 

it doesn't make sense from virtually any standpoint. it's a lot more overhead in queries, a lot larger database, and much more trouble than simply storing the file on the server and referencing it. plus, if your database crashes for any reason, your stored binaries might be toast. if you store the images separately, you avoid all of these pitfalls. what are the advantages?

[dennismonsewicz]

Well adding an image into a DB via binary data becomes a problem when you need to backup a DB or when you get tons of records because it becomes bogged down. Now I have been told this recently, so I have not experienced these problems, so I could sound like a complete moron

[dennismonsewicz]

Ok

 

here is my code:

 

<?php

$username = $_GET['username'];
$id    = $_GET['id'];

if(isset($username))
	{
		require "../includes/sql.php";
		$query = "UPDATE uploads SET downloaded_by = '$username'  WHERE id = '$id'";
		mysql_query($query) or die("ERROR: " . mysql_error());
	}

if(isset($username))
{	
// if id is set then get the file with the id from database

include "../includes/sql.php";

$query = "SELECT name, type, size " .
		 "FROM uploads WHERE id = '$id'";

$result = mysql_query($query) or die('Error, query failed');
list($name, $type, $size) = mysql_fetch_array($result);

header("Content-length: $size");
header("Content-type: $type");
header("Content-Disposition: attachment; filename=$name");

readfile($name);

exit;
}	


?>

 

can you send the id to the header verifying the id and username?