Using Apache's main config file (or at a per-directory level using a
.htaccess file), you need to black all .jpg, .jpeg, .gif, .png, .bmp, etc
etc files from being *directly* served via http.
I'm not too good with Apache yet, but an example would be:
<Files ~ "\.jpg$">
Order Allow,Deny
Deny from all
</Files>
<Files ~ "\.gif$">
Order Allow,Deny
Deny from all
</Files>
<Files ~ "\.jpeg$">
Order Allow,Deny
Deny from all
</Files>
<Files ~ "\.bmp$">
Order Allow,Deny
Deny from all
</Files>
(you might also choose to block everything in imageDir/, which would also
include the xml file)
Then you need to create a script called image.php which:
a) accepts file=xxxx.xxx in the URL ($_GET)
b) sets the appropriate image header
c) passes the image file though
Instead of you calling
<img src='imageDir/picture.jpg' />
You would call
<img src='image.php?file=imageDir/picture.jpg' />
You also need to ensure that users can't directly call image.php?file=
picture.jpg in the browser, which can also be done with apache / .htaccess
files.
<Files ~ "\image.php$">
Order Allow,Deny
Deny from all
</Files>
There's plenty of examples of passing images through in the manual... in
particular one of the user-contributed notes by "lists at darkcore dot net
08-Aug-2002 03:24" at http://php.net/header looks about right.
Justin
on 16/02/03 3:24 AM, Michael Mulligan ([EMAIL PROTECTED]) wrote:
> Perhaps you could further describe such a method? I'm sorry, I just don't
> quite see how this will block the files. Perhaps I should further explain my
> situation.
>
> The script that I will distribute will always make use of a very particular
> directory structure. In "imageDir", there will always be a specifically
> named XML file that points to a bunch of images in the directory. However,
> given security checks that I put in my script, not all of those images
> should be publicly viewable. However, if a savvy user were to just load this
> XML doc up in their web browser, they will have a complete listing of URLs
> to all of my images. I cannot modify this XML file. (which is why I want to
> block a user from loading, say myserver.com/imageDir/picture.jpg)
>
> Will your proposed idea still work in this situation?
>
> Thanks for your help and patience in this matter. :-)
>
> On 02/15/03 11:09 AM, "Marco Tabini" <[EMAIL PROTECTED]> wrote:
>> Only if you let them. The PHP script allows to put the appropriate
>> checks in place. For example, if you use sessions, you can verify that
>> the session is still valid and that the user has, indeed, the right to
>> access that image. At a later time, even if another user types in the
>> same URL but does not have a valid session (or a variable inside the
>> session that contains the right data), you would be able to block him
>> from reading the image.
>>
>> Cheers,
>>
>>
>> Marco
>
>
> -m^2
>
> __________
> Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
> spread!
> __________
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
