Page 1 of 1
htaccess
Posted: Mon Jun 12, 2006 8:34 am
by vivekjain
Hi,
I was looking for a solution to a problem that I was facing. I have an web application, and I dont want users to access the images directly using a URL, eg,
http://www.site.com/images/pic1.jpg. I checked on google, and they suggest using htaccess file for this with this in the file
"Order deny,allow
deny from all
allow from localhost
"
But this doesnt seem to help, I can yet access the images using the URL.
Can anyone help me with this?
Thanks
Posted: Mon Jun 12, 2006 8:50 am
by nathanr
you could do it using php instead of .htaccess
Code: Select all
<?
// get_img.php source
$img = $_GET['id'];
$loc = "Location: http://www.domain.com/hidden/images/".$img .".gif";
header($loc);
?>
something like that will do the trick, very basic but works; not sure why you'd need it though
Posted: Mon Jun 12, 2006 9:41 am
by derchris
The .htaccess thing won't work, as the User would never see an Image in their Browser.
I would move all Images to a folder outside of the webroot, and do it with PHP instead.
htaccess
Posted: Tue Jun 13, 2006 12:33 am
by vivekjain
Hi,
Thanks for your replies.
We have set up a photo gallery (using Mambo) for our client, it is a paid membership site, where visitors can only access preview galleries but need to subscribe in order to access all the galleries on the site.
We’re having a problem that if people know (or members redistribute) the entire path to each photo, then anyone can access it (without having the required subscription).
Is there a way of securing the photos from direct access?
Thanks
Posted: Tue Jun 13, 2006 12:56 am
by John Cartwright
derchris has the right idea, move all your photos outside the webroot so no user will be able to directly access the images directly. Have a script serve the image after being authenticated with the proper credentials or whatnot.
Posted: Tue Jun 13, 2006 1:04 am
by Christopher
This obviously needs a lot of improvement, but hopefully you get the idea:
Code: Select all
<img src="get_img.php?name=myimage.jpg" />
Code: Select all
<?
$img = preg_replace('/[^a-zA-Z0-9\_\-\.]/', '', $_GET['name']); // filter name to prevent injection
$img = trim($img, '/.'); // don't allow any paths
$img = '/full/path/to/dir/' . $img; // full path to image
if ($user->isSignedIn() && file_exists($img)) {
header("Content-type: image/" . substr($img, -1, 3)); // use file extension for type
readfile($img);
} else {
header("Content-type: image/gif");
readfile('/full/path/to/error.gif');
}
?>
Jcart | fixed code error 
Posted: Tue Jun 13, 2006 4:30 am
by bokehman
Take a look at
this thread for a way to do this without modifying established URLs or editing any <img> elements.
htaccess
Posted: Tue Jun 13, 2006 6:42 am
by vivekjain
Thanks for your reply. Did check on the link.
I am assuming that the .htaccess file needs to be in the folder that has the images. And also is the servlet used to display images to authenticated users?
If you can explain the steps, will appreciate it.
Thank you
Re: htaccess
Posted: Tue Jun 13, 2006 9:39 am
by bokehman
vivekjain wrote:I am assuming that the .htaccess file needs to be in the folder that has the images. And also is the servlet used to display images to authenticated users?
That would be the easiest way.
On the line that is commented check client authority (or similar) add whatever security check you wish to apply to the image, if any.