On Sat, 2003-02-15 at 11:24, Michael Mulligan wrote: > The script that I will distribute will always make use of a very particular > directory structure. In "imageDir", there will always be a specifically > named XML file that points to a bunch of images in the directory. However, > given security checks that I put in my script, not all of those images > should be publicly viewable. However, if a savvy user were to just load this > XML doc up in their web browser, they will have a complete listing of URLs > to all of my images. I cannot modify this XML file. (which is why I want to > block a user from loading, say myserver.com/imageDir/picture.jpg) > > Will your proposed idea still work in this situation?
Yes--but you need to make the image inaccessible to the outside (simply put them in a folder that can't be seen from the web). Here's an example. Suppose you have a script called page.php that needs an image called img.jpg. Instead of calling img.jpg, you call another script, serveimage.php as follows: <img src="serveimage.php?img=img.jpg"> Now, in serveimage.php you do this: <?php $img = $_GET['img']; // First, check that the user is not trying to trick us // into revealing a file that we shouldn't reveal. // Note: this is a *very* simplistic approach--you will probably // want to add your own if (substr ($img, '/')) die('Invalid file name'); // Now, check if the user has permission to this file. You don't // explain how you do this, so I'll leave this to an external // function called check_permission ($file) that returns true if the // user is able to see that file and false otherwise if (check_permission ($img)) { // Tell the browser this is an image // Note, you will probably have to change this depending // on the file type header ('Content-type: img/jpg'); readfile ($img); } else die ("Unauthorized access"); ?> Essentially, what I'm doing is I'm replacing a file with a script that first checks the permissions and then, if the user is authorized, outputs the file to the browser. This way, if the user is not authorized to download a file, it will be blocked. Obviously, the files themselves should be inaccessible to the web *except* through your scripts. Hope it's a bit clearer now! Cheers, Marco -- ------------ Marco Tabini President Marco Tabini & Associates, Inc. 28 Bombay Ave. Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Weblog: http://blogs.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php