Using Apache's main config file (or at a per-directory level using a .htaccess file), you need to black all .jpg, .jpeg, .gif, .png, .bmp, etc etc files from being *directly* served via http.
I'm not too good with Apache yet, but an example would be: <Files ~ "\.jpg$"> Order Allow,Deny Deny from all </Files> <Files ~ "\.gif$"> Order Allow,Deny Deny from all </Files> <Files ~ "\.jpeg$"> Order Allow,Deny Deny from all </Files> <Files ~ "\.bmp$"> Order Allow,Deny Deny from all </Files> (you might also choose to block everything in imageDir/, which would also include the xml file) Then you need to create a script called image.php which: a) accepts file=xxxx.xxx in the URL ($_GET) b) sets the appropriate image header c) passes the image file though Instead of you calling <img src='imageDir/picture.jpg' /> You would call <img src='image.php?file=imageDir/picture.jpg' /> You also need to ensure that users can't directly call image.php?file= picture.jpg in the browser, which can also be done with apache / .htaccess files. <Files ~ "\image.php$"> Order Allow,Deny Deny from all </Files> There's plenty of examples of passing images through in the manual... in particular one of the user-contributed notes by "lists at darkcore dot net 08-Aug-2002 03:24" at http://php.net/header looks about right. Justin on 16/02/03 3:24 AM, Michael Mulligan ([EMAIL PROTECTED]) wrote: > Perhaps you could further describe such a method? I'm sorry, I just don't > quite see how this will block the files. Perhaps I should further explain my > situation. > > The script that I will distribute will always make use of a very particular > directory structure. In "imageDir", there will always be a specifically > named XML file that points to a bunch of images in the directory. However, > given security checks that I put in my script, not all of those images > should be publicly viewable. However, if a savvy user were to just load this > XML doc up in their web browser, they will have a complete listing of URLs > to all of my images. I cannot modify this XML file. (which is why I want to > block a user from loading, say myserver.com/imageDir/picture.jpg) > > Will your proposed idea still work in this situation? > > Thanks for your help and patience in this matter. :-) > > On 02/15/03 11:09 AM, "Marco Tabini" <[EMAIL PROTECTED]> wrote: >> Only if you let them. The PHP script allows to put the appropriate >> checks in place. For example, if you use sessions, you can verify that >> the session is still valid and that the user has, indeed, the right to >> access that image. At a later time, even if another user types in the >> same URL but does not have a valid session (or a variable inside the >> session that contains the right data), you would be able to block him >> from reading the image. >> >> Cheers, >> >> >> Marco > > > -m^2 > > __________ > Hi! I'm a .signature virus! Copy me into your ~/.signature to help me > spread! > __________ > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php