How do I make photos of my products in my website secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
obay
Forum Newbie
Posts: 17
Joined: Sun Mar 01, 2009 1:04 pm

How do I make photos of my products in my website secure?

Post by obay »

How do I make photos of my products in my website secure, such that only "members" can view them?

I have tried using putting them in a secure folder (outside public_html) and using a showimage.php but it doesn't work. It only outputs the url (text) of the image, not the image itself. I reckon this must be a problem with my web hosting, because in my local setup, it works.

So I'm asking here for alternatives. Any ideas?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How do I make photos of my products in my website secure?

Post by Mordred »

Code?
obay
Forum Newbie
Posts: 17
Joined: Sun Mar 01, 2009 1:04 pm

Re: How do I make photos of my products in my website secure?

Post by obay »

here is my showImage.php

Code: Select all

<?php
 
$filename = "../natura_photos_large/".$_GET[trans]."-".$_GET[size].".jpg";
header("Content-Type: image/jpeg");
echo file_get_contents($filename);
 
?>
here is my test.php

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
 
<body>
<img src="showImage.php?trans=P-20090227045201-11&size=3" border="1" />
</body>
</html>
i have a folder outside public_html called "natura_photos_large" that contains the image "P-20090227045201-11-3.jpg"

you may open the test.php page at

http://www.cebunatura.com/test.php

as you can see, the photo does not display. what am i doing wrong? :(

*PS i've actually posted before, issue was not resolved. i am reposting in this new thread. hope you understand.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How do I make photos of my products in my website secure?

Post by kaisellgren »

obay wrote:

Code: Select all

<?php
 
$filename = "../natura_photos_large/".$_GET[trans]."-".$_GET[size].".jpg";
header("Content-Type: image/jpeg");
echo file_get_contents($filename);
 
?>
If the file path is correct, that should work. If not, make sure you have error reporting turned on (use E_ALL).

The code is vulnerable to traversal and truncation attacks by the way.

For instance, ************, eh you actually have a live link to your website ?

The problem is that the image file is somehow corrupted or not a valid JPG file. I tried saving the file on my desktop. The thumbnail loaded fine, but when I tried to open the file it was corrupted. If Paint or Photoshop couldn't open it, how could a web browser?
Post Reply