Image Gallery + Login problem
Moderator: General Moderators
Image Gallery + Login problem
I have set up a members area to my site, a username and password is requested via an html form - this is compared with a MySQL database and a session is begun. All the members pages check for the session and work fine.
One of the pages is a photo gallery - at the moment it is just a whole bunch of <IMG> tags that link to a file frame.php?file=picture-to-be-displayed
This is fine, however anyone who knows the right URL can type this in and view the images directly in the browser.
Chmodding means that no-one can read the images, but the html page generated by the gallery script can no longer read them either.
I have even tried redirecting accesses to /pathname/picture.jpg to index.php?file=login.html by means of a .htaccess file, but that still prevents the image being displayed by the gallery script.
Is there something that I can do to either the gallery script, or with things like .htaccess that could fix this problem - i.e. no one can read the images at all unless they have a php session on the site?
It is all running on a UNIX server under apache, most likely with up to date versions of everything (PHP/mySQL/apache etc). I have shell access for tinkering.
One of the pages is a photo gallery - at the moment it is just a whole bunch of <IMG> tags that link to a file frame.php?file=picture-to-be-displayed
This is fine, however anyone who knows the right URL can type this in and view the images directly in the browser.
Chmodding means that no-one can read the images, but the html page generated by the gallery script can no longer read them either.
I have even tried redirecting accesses to /pathname/picture.jpg to index.php?file=login.html by means of a .htaccess file, but that still prevents the image being displayed by the gallery script.
Is there something that I can do to either the gallery script, or with things like .htaccess that could fix this problem - i.e. no one can read the images at all unless they have a php session on the site?
It is all running on a UNIX server under apache, most likely with up to date versions of everything (PHP/mySQL/apache etc). I have shell access for tinkering.
yeah - frame.php checks for a session, but all it does then is return an html page with some border images and an <img> tag for the image to be displayed.
I someone types the URL to the image itself, they can view it wothout a session. I want to block this so that they can't view it, without breaking the image gallery. As soon as I find a way to block the image such as .htaccess or chmod/chown etc, the image is not displayed in the gallery, since it is just an <img> tag
I someone types the URL to the image itself, they can view it wothout a session. I want to block this so that they can't view it, without breaking the image gallery. As soon as I find a way to block the image such as .htaccess or chmod/chown etc, the image is not displayed in the gallery, since it is just an <img> tag
an example should explain itwill serve links like http://the.serv.er/myScript?imageId=5
and there's no need that /a/directory/somewhere/<N>.png has to be accessible from the web, only the php-script must have read permissions.
http://php.net/is_file
http://php.net/is_readable
http://php.net/header
http://php.net/filesize
http://php.net/readfile
http://www.php.net/manual/en/language.t ... ypecasting
Code: Select all
<?php
$imgPath = '/a/directory/somewhere/' . (int)$_GET['imageId'] . '.png';
if(!is_file($imgPath) || !is_readable($imgPath))
header('Status: 404 Not Found');
else
{
header('Content-type: image/png');
header('Content-length: ' . filesize($imgPath));
readfile($imgPath);
}
?>and there's no need that /a/directory/somewhere/<N>.png has to be accessible from the web, only the php-script must have read permissions.
http://php.net/is_file
http://php.net/is_readable
http://php.net/header
http://php.net/filesize
http://php.net/readfile
http://www.php.net/manual/en/language.t ... ypecasting
you have to serve the image document without any other html-data anyway.
So that's not a limitation. Always think about: One request, one document.
Not: one request, one html- and a image-document.
You send the html-doc which contains an <img src=..." />-element and the browser will perform another request to get the image-data, e.g.
So that's not a limitation. Always think about: One request, one document.
Not: one request, one html- and a image-document.
You send the html-doc which contains an <img src=..." />-element and the browser will perform another request to get the image-data, e.g.
Code: Select all
<img src="sendMeTheImageData.php?imgId=5" />aha - that might be the answer....!
will most likely be back with further dumb questions.....
Thanks!
My thanks to you!!!! It works - right - "One request, one document, one request, one document, one request, one document, one request, one document, one request, one document................................."
will most likely be back with further dumb questions.....
Thanks!
My thanks to you!!!! It works - right - "One request, one document, one request, one document, one request, one document, one request, one document, one request, one document................................."