I'm create a site, where users can upload images (already works). They can view their images.. but I want to make sure they can't use the direct link to the image. So when the image is stored in 'files/image' (note how it does not have an extension), I'd like to display it on the page, without having that ('files/image') in the link, so they can not link to that image on other sites.. or try to steal other users images.
All the errors are currently 'invalid file id', because it does not tell a user (if he tries to hack something) what he's doing wrong.
id = the id of the photo, stored in the database. 'files/$id' is the location of the photo
uid = the id of the user who uploaded to photo
original = the original name of the photo
Code: Select all
if($action == 'view'){
if( !isset($id) ){
$error = "Invalid file id!";
} else {
$res = mysql_query("SELECT uid, original FROM files WHERE name = '".$id."'");
if( $u = mysql_fetch_array($res) ){
if($u['uid'] != $thisuser['id']){
$error = "Invalid file id!";
} else {
//show the image here
$url = "files/".$id;
}
} else {
$error = "Invalid file id!";
}
}I managed to get the whole image in a var by adding this under url = bla bla
Code: Select all
$image = file($url);Any other script to make the url invalid would also do the trick
Thanx in advance,
MaNiAC