prevent image folder access without a username and password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
irprog
Forum Newbie
Posts: 9
Joined: Wed Mar 31, 2004 5:57 am

prevent image folder access without a username and password

Post by irprog »

I am allowing clients to download images by clicking on an icon and downloading the image from a popup window. The problem is that my code authenticates the users id and image id but I can't prevent them from guessing the names of other images in the folder and downloading them too. I cannot password out the folder because the popup requires direct access to the folder.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Are these images to be available for download? If not, you can just password protect the folder, or move the folder out of the document root, then make a PHP file that opens the image and passes it to the clients browser. So, rather than calling the image, you call this PHP page and it sends the correct image file for you
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
irprog
Forum Newbie
Posts: 9
Joined: Wed Mar 31, 2004 5:57 am

Post by irprog »

They are available for download. I am selling them as photographs so until they are bought they have a watermark. Once purchased a customer can open a popup window from a thumbnail of the image and download the non-watermarked image. Works well but if they look at the properties for the large image they could guess the name of images they haven't paid for and download them by writing the path into the address bar.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Well how I'd do it then is in that pop up, just have a link to "image.php?id=324". Then, in image.php, check if the logged in user has bought the picture with id '324' and if they have, let them download it. If not - well, do what you want.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
irprog
Forum Newbie
Posts: 9
Joined: Wed Mar 31, 2004 5:57 am

Post by irprog »

I am already doing that. The problem is I allow the purchaser to right click on the image and "save picture as.." . If they look at the image properties they can see where it's stored. If they are smart enough they can paste the URL into the address bar and guess the names of other files. Then they just show in the browser and they can save as many as they want.
User avatar
genetix
Forum Contributor
Posts: 115
Joined: Fri Aug 01, 2003 7:40 pm
Location: Sask, Regina
Contact:

Post by genetix »

This would work, whether or not it would work instantly I'm not sure.

Why dont you: (steps)
1. User pays for image
- Script copies image from hidden folder and pastes it with a random number as the name
2. User loads popup
- When the site is done loading the script sends a response back to the server to delete the temporary file.

This would initially only leave the file on the server for a max of like 15 seconds. Would be less if your client had a faster internet connection.

If you want someone to design this for you send me an email: lshaheen@accesscomm.ca
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

irprog wrote:I am already doing that. The problem is I allow the purchaser to right click on the image and "save picture as.." . If they look at the image properties they can see where it's stored. If they are smart enough they can paste the URL into the address bar and guess the names of other files. Then they just show in the browser and they can save as many as they want.
That is why you should store your images in a non-public (= not accessible by a url) directory.

This way, the only way to refer to the file is through image.php. And there you can perform all the validation you want.
irprog
Forum Newbie
Posts: 9
Joined: Wed Mar 31, 2004 5:57 am

Post by irprog »

genetix-how would you know when the user has downloaded the file.
timvw-that would solve the problem of direct access to the folder. I could turn indexing off for that folder but then I'd have to add code to copy from it into a temp folder and I'd still have the same problem as above.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

irprog wrote:I am already doing that. The problem is I allow the purchaser to right click on the image and "save picture as.." . If they look at the image properties they can see where it's stored. If they are smart enough they can paste the URL into the address bar and guess the names of other files. Then they just show in the browser and they can save as many as they want.
If you use image.php, the user would never see the actual location of the images:

Code: Select all

<body>
...
<img src = "image.php?id=335">
...
</body>
If they try and circumvent the system by putting in different ID numbers, then use image.php to do a DB check to see if they're allowed to access that image. If not, then don't output the image.

- Another alternative would be storing the image data itself in a database.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

irprog wrote: timvw-that would solve the problem of direct access to the folder.


yes.
irprog wrote: I could turn indexing off for that folder but then I'd have to add code to copy from it into a temp folder and I'd still have the same problem as above.
It doesn't matter if indexing is on/off... because it's a not-public directory; nobody can surf to it... And no you don't have to copy it to a temp folder.

basically image.php or download.php would work like (a little snippet from the system we use)

Code: Select all

// get requested stuff
// validate if user is allowed to download the stuff

// lookup mime type etc... 
// output correct headers
// output with readfile

if (!$allowed)
{
  // redirect to error page
  header('Location: ' . $settings['site']['url'] . 'error.php');
}
else
{
  header('Content-length: ' . filesize($path));
  header('Content-type: video/' . $extension);
  header('Content-Disposition: attachment; filename=' . $file);
  readfile($path);
}
irprog
Forum Newbie
Posts: 9
Joined: Wed Mar 31, 2004 5:57 am

Post by irprog »

Will this still insert an image in the popup window which can be right-clicked for dowloading
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

irprog wrote:Will this still insert an image in the popup window which can be right-clicked for dowloading
any image that the user can visually see can be "right clicked" in one way or another.


this thread is related to what your doing. its not perfectly suited to what your doing, but the concept is exactly the same, and its the same concept as suggested in this thread too.

viewtopic.php?t=28026
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

just make your image.php a little smarter:

if the user is not allowed to download it / request a preview -> output the image with watermark

else send the image withouth watermark.
id-communications
Forum Newbie
Posts: 1
Joined: Wed Mar 31, 2004 5:35 am

Post by id-communications »

Thanks for that. Works well now
Post Reply