Page 1 of 1

Image Gallery + Login problem

Posted: Fri Jun 06, 2003 5:33 pm
by RFairey
I have set up a members area to my site, a username and password is requested via an html form - this is compared with a MySQL database and a session is begun. All the members pages check for the session and work fine.

One of the pages is a photo gallery - at the moment it is just a whole bunch of <IMG> tags that link to a file frame.php?file=picture-to-be-displayed

This is fine, however anyone who knows the right URL can type this in and view the images directly in the browser.

Chmodding means that no-one can read the images, but the html page generated by the gallery script can no longer read them either.

I have even tried redirecting accesses to /pathname/picture.jpg to index.php?file=login.html by means of a .htaccess file, but that still prevents the image being displayed by the gallery script.

Is there something that I can do to either the gallery script, or with things like .htaccess that could fix this problem - i.e. no one can read the images at all unless they have a php session on the site?

It is all running on a UNIX server under apache, most likely with up to date versions of everything (PHP/mySQL/apache etc). I have shell access for tinkering.

Posted: Sat Jun 07, 2003 3:16 am
by Trill
Just wondering... does frame.php check for a session... cos if you got it to check for a session my guess is you should clear your problem up

Posted: Sat Jun 07, 2003 4:05 am
by RFairey
yeah - frame.php checks for a session, but all it does then is return an html page with some border images and an <img> tag for the image to be displayed.

I someone types the URL to the image itself, they can view it wothout a session. I want to block this so that they can't view it, without breaking the image gallery. As soon as I find a way to block the image such as .htaccess or chmod/chown etc, the image is not displayed in the gallery, since it is just an <img> tag

Posted: Sat Jun 07, 2003 4:24 am
by volka
but if you're using
frame.php?file=picture-to-be-displayed
you might check the session status and return a 404 in case it's unsatisfactory (assuming this call is supposed to return the real image data - not only html)

Posted: Sat Jun 07, 2003 5:26 am
by RFairey
volka wrote:(assuming this call is supposed to return the real image data - not only html)
Its only returning html at the moment. Is there a way to return image data directly, and would the script be able to read the image if I had blocked the image from direct viewing by typing a URL?

Posted: Sat Jun 07, 2003 5:41 am
by volka
an example should explain it

Code: Select all

<?php
$imgPath = '/a/directory/somewhere/' . (int)$_GET['imageId'] . '.png';
if(!is_file($imgPath) || !is_readable($imgPath))
	header('Status: 404 Not Found');
else
{
	header('Content-type: image/png');
	header('Content-length: ' . filesize($imgPath));
	readfile($imgPath);
}	
?>
will serve links like http://the.serv.er/myScript?imageId=5
and there's no need that /a/directory/somewhere/<N>.png has to be accessible from the web, only the php-script must have read permissions.

http://php.net/is_file
http://php.net/is_readable
http://php.net/header
http://php.net/filesize
http://php.net/readfile
http://www.php.net/manual/en/language.t ... ypecasting

Posted: Sat Jun 07, 2003 5:58 am
by RFairey
Is there a way to avoid the header() function, and put the image inline with the rest of the page, either keeping the img tags and changing something else, or using something other than img tags?

Posted: Sat Jun 07, 2003 9:40 am
by volka
netscape had a base64-inline image encoding but generally: no ;)
One request, one document (html, image, zip-archive, what-so-ever)
what's wrong with header()?

Posted: Sat Jun 07, 2003 10:53 am
by RFairey
header can only be used before any other html - the whole idea of the image gallery is that each one is displayed in a border (not so important) but, more importantly that each one is a link so that you can click on the image to return to the gallery of thumbnails

Posted: Sat Jun 07, 2003 11:02 am
by volka
you have to serve the image document without any other html-data anyway.
So that's not a limitation. Always think about: One request, one document.
Not: one request, one html- and a image-document.
You send the html-doc which contains an <img src=..." />-element and the browser will perform another request to get the image-data, e.g.

Code: Select all

<img src="sendMeTheImageData.php?imgId=5" />

Posted: Sat Jun 07, 2003 11:38 am
by RFairey
aha - that might be the answer....!
will most likely be back with further dumb questions.....

Thanks!


My thanks to you!!!! It works - right - "One request, one document, one request, one document, one request, one document, one request, one document, one request, one document................................."