Page 1 of 2
What CHMOD to use?
Posted: Sun Mar 01, 2009 1:06 pm
by obay
What CHMOD should i use to display images on web pages but disallow direct access to them thru address bar?
I tried 700. It successfully disallows accessing the image directly thru browser's address bar, but it also doesn't display the images on the webpages.
Help?
Re: What CHMOD to use?
Posted: Sun Mar 01, 2009 1:09 pm
by kaisellgren
obay wrote:What CHMOD should i use to display images on web pages but disallow direct access to them thru address bar?
I tried 700. It successfully disallows accessing the image directly thru browser's address bar, but it also doesn't display the images on the webpages.
Help?
There is no such thing. In both cases, the web browser requests for the image exactly the same way. No difference. The only difference is practical: you have to type the address in the second case.
May I ask you what are you trying to achieve?
Re: What CHMOD to use?
Posted: Sun Mar 01, 2009 1:19 pm
by obay
I have some photos of our products which i DON'T want non-registerered/non-logged-in users to see.
But I realized that if the user just knows the URL of the image, he can view it.
For example, i have "smaller" versions of the photos which everyone can see. If user right-clicks it, he can see the it's stored in photos/myphoto1-small.jpg. so it's easy to guess the large photo is in photos/myphoto1-large.jpg. when we inputs that in the web browser address bar, he gets the photo without even logging in.
Re: What CHMOD to use?
Posted: Sun Mar 01, 2009 1:24 pm
by kaisellgren
obay wrote:I have some photos of our products which i DON'T want non-registerered/non-logged-in users to see.
But I realized that if the user just knows the URL of the image, he can view it.
For example, i have "smaller" versions of the photos which everyone can see. If user right-clicks it, he can see the it's stored in photos/myphoto1-small.jpg. so it's easy to guess the large photo is in photos/myphoto1-large.jpg. when we inputs that in the web browser address bar, he gets the photo without even logging in.
The photos (secured ones) should be delivered through PHP. They may not be directly accessible. For instance:
showimage.php?photo_id=5
Code: Select all
$photo_id = (int) $_GET['photo_id'];
// find out photo filename somehow... may it be stored in the database or whatever...
header('Content-Type: image/png');
echo file_get_contents($path_to_the_photo);
That's a simple demonstration. Make the header to accept other file types if you need, and store the path to the photos somewhere. Preferably in the database.
And make sure you store the secured photos outside the document root.
Re: What CHMOD to use?
Posted: Sun Mar 01, 2009 1:28 pm
by obay
this is great! so this means i can now set the photos to CHMOD 700 and still have them displayed (thru PHP), correct?
Re: What CHMOD to use?
Posted: Sun Mar 01, 2009 1:39 pm
by kaisellgren
obay wrote:this is great! so this means i can now set the photos to CHMOD 700 and still have them displayed (thru PHP), correct?
In every website, there is a public root directory. Everything under it, are accessible from the URL (if not restricted elseway), but everything outside this root, are no way accessible. Just put the photos outside the document root (e.g. public_html, www, htdocs, ...). This way PHP can only access them.
If you did not get it, look:
Code: Select all
/home/yourhostingaccount/public_html/index.php
/home/yourhostingaccount/photos/image.png
PHP can only access it, like file_get_contents('../photos/image.png')... just make sure it only shows them if the user is authenticated.
Re: What CHMOD to use?
Posted: Sun Mar 01, 2009 1:53 pm
by obay
thanks! you've been most helpful!!

Re: What CHMOD to use?
Posted: Wed Mar 04, 2009 3:54 pm
by obay
hi again!
i've done everything you said and everything works fine in my local webserver. but when i uploaded it to my host, the images don't show. i've set the folder permissions to 755, even now that it's outside public_html, but images dont show.
what might be the problem?
Re: What CHMOD to use?
Posted: Wed Mar 04, 2009 4:01 pm
by obay
i tried to open my showImage.php file from the address bar, and i've discovered that instead of "echo"ing the photo, it just "echo"es the full path of the file (that is, the
http://www.mysite.com/showImage.php?photoid=123)
when i do this on my local server, it displays the photo, but here it displays the complete URL.
im confused...
any help?
Re: What CHMOD to use?
Posted: Wed Mar 04, 2009 4:20 pm
by kaisellgren
obay wrote:i tried to open my showImage.php file from the address bar, and i've discovered that instead of "echo"ing the photo, it just "echo"es the full path of the file (that is, the
http://www.mysite.com/showImage.php?photoid=123)
when i do this on my local server, it displays the photo, but here it displays the complete URL.
im confused...
any help?
The image data was not loaded correctly. Are you sure the photos are there and that the path is correct?
Re: What CHMOD to use?
Posted: Wed Mar 04, 2009 4:36 pm
by obay
i just talked with my hosting company.
images need to be inside public_html
this sucks!
Re: What CHMOD to use?
Posted: Wed Mar 04, 2009 4:47 pm
by obay
i have to redo everything.
any ideas?

Re: What CHMOD to use?
Posted: Wed Mar 04, 2009 5:32 pm
by kaisellgren
Are you sure? Why cannot they be outside the public root?!
What web hosting are you using, this is crazy. They basically ask you to be unsafer. I have lots of experience with web hosts, and I must say that many live or email support guys and gals will not always know what they are answering...
Can you browse outside the public root with your FTP client using your FTP credentials? If so, create a folder outside the public root and try if PHP is able to write and read into it.
Re: What CHMOD to use?
Posted: Thu Mar 05, 2009 4:55 am
by obay
i am on hostgator.com
1. "myphotos" folder outside public_html:
yes, i have been able to create a folder outside public_html and have been read and write to it. the path is /myphotos with permissions 755.
but photos don't display. when i try to access the showImage.php from the address bar, it just displays the complete URL of the showImage file (that is
http://www.mysite.com/showImage.php?photoid=123). this is different from my local server, which displays the image
2. "myphotos" folder inside public_html:
i have just discovered that even if i put the photos folder inside public_html, same behavior. showImage.php just displays the URL, not the image.
any ideas?
Re: What CHMOD to use?
Posted: Thu Mar 05, 2009 6:12 am
by kaisellgren
I have twelwe accounts on HostGator. A few shared and a one dedicated. So far, I have been able to upload files outside the public root. If they told you that you cannot upload or do that, then the support guy didn't know what he was talking about.
obay wrote:i have just discovered that even if i put the photos folder inside public_html, same behavior. showImage.php just displays the URL, not the image.
Indeed. It is not related to "not being able to upload somewhere". I bet you are using Firefox, which by default displays the location of the requested file in case there is
no content outputted to it. Remove the header() call, and see what the browser outputs. I bet it outputs nothing. If that is so, then for some reason the script does not load the file contents properly. It's a bug in your script, hard to know what is wrong really.