htaccess

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
vivekjain
Forum Commoner
Posts: 76
Joined: Thu Jan 08, 2004 12:38 am

htaccess

Post by vivekjain »

Hi,
I was looking for a solution to a problem that I was facing. I have an web application, and I dont want users to access the images directly using a URL, eg, http://www.site.com/images/pic1.jpg. I checked on google, and they suggest using htaccess file for this with this in the file

"Order deny,allow
deny from all
allow from localhost
"

But this doesnt seem to help, I can yet access the images using the URL.
Can anyone help me with this?

Thanks
User avatar
nathanr
Forum Contributor
Posts: 200
Joined: Wed Jun 07, 2006 5:46 pm

Post by nathanr »

you could do it using php instead of .htaccess

Code: Select all

<img src="get_img.php?id=3" />

Code: Select all

<?
// get_img.php source
$img = $_GET['id'];
$loc = "Location: http://www.domain.com/hidden/images/".$img .".gif";
header($loc);
?>
something like that will do the trick, very basic but works; not sure why you'd need it though
derchris
Forum Commoner
Posts: 44
Joined: Sat Jun 10, 2006 6:14 pm

Post by derchris »

The .htaccess thing won't work, as the User would never see an Image in their Browser.
I would move all Images to a folder outside of the webroot, and do it with PHP instead.
vivekjain
Forum Commoner
Posts: 76
Joined: Thu Jan 08, 2004 12:38 am

htaccess

Post by vivekjain »

Hi,
Thanks for your replies.
We have set up a photo gallery (using Mambo) for our client, it is a paid membership site, where visitors can only access preview galleries but need to subscribe in order to access all the galleries on the site.
We’re having a problem that if people know (or members redistribute) the entire path to each photo, then anyone can access it (without having the required subscription).

Is there a way of securing the photos from direct access?

Thanks
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

derchris has the right idea, move all your photos outside the webroot so no user will be able to directly access the images directly. Have a script serve the image after being authenticated with the proper credentials or whatnot.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

This obviously needs a lot of improvement, but hopefully you get the idea:

Code: Select all

<img src="get_img.php?name=myimage.jpg" />

Code: Select all

<?
$img = preg_replace('/[^a-zA-Z0-9\_\-\.]/', '', $_GET['name']);   // filter name to prevent injection
$img = trim($img, '/.');   // don't allow any paths
$img = '/full/path/to/dir/' . $img;   // full path to image
if ($user->isSignedIn() && file_exists($img)) {
   header("Content-type: image/" . substr($img, -1, 3));   // use file extension for type
   readfile($img);
} else {
   header("Content-type: image/gif");
   readfile('/full/path/to/error.gif');
}
?>
Jcart | fixed code error ;)
(#10850)
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

Post by bokehman »

Take a look at this thread for a way to do this without modifying established URLs or editing any <img> elements.
vivekjain
Forum Commoner
Posts: 76
Joined: Thu Jan 08, 2004 12:38 am

htaccess

Post by vivekjain »

Thanks for your reply. Did check on the link.
I am assuming that the .htaccess file needs to be in the folder that has the images. And also is the servlet used to display images to authenticated users?

If you can explain the steps, will appreciate it.

Thank you
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

Re: htaccess

Post by bokehman »

vivekjain wrote:I am assuming that the .htaccess file needs to be in the folder that has the images. And also is the servlet used to display images to authenticated users?
That would be the easiest way.

On the line that is commented check client authority (or similar) add whatever security check you wish to apply to the image, if any.
Post Reply