Page 1 of 1

blocking access to folder and gettting pictures from there

Posted: Sun Oct 23, 2005 2:10 am
by pelegk1
how can i block a folder from the users to access directly using httpdconf?

what i want to do is for example the the user cant do :
http://www.aaa.com/images/1.gif

but the image can be called only from the script?
thnaks in advance
peleg

Posted: Sun Oct 23, 2005 2:26 am
by Burrito
you might be able to swing something with .htaccess, but not sure on that.

one way that would definitely work would be to map your .gif extension to your isapi or cgi app, then include some code at the top of a php page that checked if a var was set (that you'd have to set on your parent page), then if it was set, use a header to display the image. However if someone knew the "real" image name/location, they could always just hit that and this solution wouldn't work...you could tuck them away deep somewhere though that would make it hard to find and by using this method, the actual url address wouldn't give anything away.

Posted: Sun Oct 23, 2005 10:45 pm
by hanji
Hello

You could put the folder above the webroot, and use a php script to display the file.

Your directory structure would be something like this...

Code: Select all

/var/www/yoursite.com/htdocs
/var/www/yoursite.com/yoursecretfolder
In /var/www/yoursite.com/htdocs/ you would have a file where you could do authentication, etc... and display the image. I'll use access.php as an example. By setting yoursecretfolder where it is, it won't be accessible, since it is above the webroot.

In this script you could validate user, etc.. and if this user is 'ok'.. then you would show this bit of HTML..

Code: Select all

<img src="image.php" border=0>
Notice the image source is image.php. In image.php you would have the following code...

Code: Select all

<?
        $file                   = "/var/www/yoursite.com/secretfolder/1.gif";
        if(file_exists($file) && !is_dir($file){
             $handle                 = fopen($file, "r");
             $file_content   = fread($handle, filesize($file));
             fclose($handle);
             echo $file_content;
        }

?>
You could obviously pass information to image.php.. but please use a database.. and be careful with your fopen() call.. since there are multiple security risks associated with this. I would suggest passing a UID string from the database, then do a MySQL lookup on image.php to grab an appropriate image, etc. You could also do this with other types of files.. just change the header handling.

Hope this helps
hanji