blocking access to folder and gettting pictures from there

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
pelegk1
Forum Newbie
Posts: 9
Joined: Tue Aug 31, 2004 12:30 am

blocking access to folder and gettting pictures from there

Post by pelegk1 »

how can i block a folder from the users to access directly using httpdconf?

what i want to do is for example the the user cant do :
http://www.aaa.com/images/1.gif

but the image can be called only from the script?
thnaks in advance
peleg
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

you might be able to swing something with .htaccess, but not sure on that.

one way that would definitely work would be to map your .gif extension to your isapi or cgi app, then include some code at the top of a php page that checked if a var was set (that you'd have to set on your parent page), then if it was set, use a header to display the image. However if someone knew the "real" image name/location, they could always just hit that and this solution wouldn't work...you could tuck them away deep somewhere though that would make it hard to find and by using this method, the actual url address wouldn't give anything away.
User avatar
hanji
Forum Commoner
Posts: 46
Joined: Fri Apr 29, 2005 3:23 pm

Post by hanji »

Hello

You could put the folder above the webroot, and use a php script to display the file.

Your directory structure would be something like this...

Code: Select all

/var/www/yoursite.com/htdocs
/var/www/yoursite.com/yoursecretfolder
In /var/www/yoursite.com/htdocs/ you would have a file where you could do authentication, etc... and display the image. I'll use access.php as an example. By setting yoursecretfolder where it is, it won't be accessible, since it is above the webroot.

In this script you could validate user, etc.. and if this user is 'ok'.. then you would show this bit of HTML..

Code: Select all

<img src="image.php" border=0>
Notice the image source is image.php. In image.php you would have the following code...

Code: Select all

<?
        $file                   = "/var/www/yoursite.com/secretfolder/1.gif";
        if(file_exists($file) && !is_dir($file){
             $handle                 = fopen($file, "r");
             $file_content   = fread($handle, filesize($file));
             fclose($handle);
             echo $file_content;
        }

?>
You could obviously pass information to image.php.. but please use a database.. and be careful with your fopen() call.. since there are multiple security risks associated with this. I would suggest passing a UID string from the database, then do a MySQL lookup on image.php to grab an appropriate image, etc. You could also do this with other types of files.. just change the header handling.

Hope this helps
hanji
Post Reply