Re: [PHP] image location hiding techniques
I am attempting to call a script that actually renders the image and then check for a session variable. However, the session variable does not seem to be there... ?php $fn = $_GET['id']; // filename $p = $_GET['p']; // path $img = /srv/pix/ . $p . / . $fn ; // where the photos are + path + filename if ( $_SESSION['photoid'] != md5(validphoto) ) // set by caller script die( Invalid photo request ); // or redirect to alternate image $_SESSION['photoid'] = ; $render = @imagecreatefromjpeg( $img ); header(Content-type: image/jpeg); imagejpeg($render,'',100); imagedestroy ($render); ? Does anybody have an idea why the session var is not available? The script above is called with this: $_SESSION['photoid'] = md5(validphoto); echo pimg border=0 src='showimage.php?id=$get_picp=$from' alt=\Photo $get_pic being located...\/p; Gerry On 2/7/06, hbeaumont hbeaumont [EMAIL PROTECTED] wrote: Hi, I have a site with images that I want people to download but not have the direct path to. ie. I do not want them to be able to just view the source, find the dir and then download everything or direct link to them. However I can see no way to do this other than keeping the images on disk, having a php script read them and then spit them out. example: view.php?92348924 where 92348924 is a code that translates to the image on disk. Can anyone think of a better method? If not, what is the most efficient way to do this (ie. avoid the most i/o) Thanks! P.S. I also realize I could use .htaccess to stop direct linking and turn off directory indexes. Still I think there might be some other problems with .htaccess -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Gerry http://portal.danen.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] image location hiding techniques
Hi, I have a site with images that I want people to download but not have the direct path to. ie. I do not want them to be able to just view the source, find the dir and then download everything or direct link to them. However I can see no way to do this other than keeping the images on disk, having a php script read them and then spit them out. example: view.php?92348924 where 92348924 is a code that translates to the image on disk. Can anyone think of a better method? If not, what is the most efficient way to do this (ie. avoid the most i/o) Thanks! P.S. I also realize I could use .htaccess to stop direct linking and turn off directory indexes. Still I think there might be some other problems with .htaccess -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] image location hiding techniques
hbeaumont hbeaumont wrote: Hi, I have a site with images that I want people to download but not have the direct path to. ie. I do not want them to be able to just view the source, find the dir and then download everything or direct link to them. However I can see no way to do this other than keeping the images on disk, having a php script read them and then spit them out. example: view.php?92348924 where 92348924 is a code that translates to the image on disk. Doing this would cause an extra hit to disk to load the PHP script and the image instead of just the image file, if you are concerned about disk I/O. You could go the script route as you have mentioned and also add a check on HTTP_REFERER to ensure they came from your site. You might even set a cookie and ensure that exists as well. Randomize the image numbers so they are not sequential, add some alpha characters to make it real fun. Give a 404 Not Found instead of an error if the referer or cookie wasn't set to add some obscurity to the mix. This will deter most people from grabbing all of the images, but if they are available to the public for download it will always be possible for someone to figure out your counter measures. It doesn't mean you can't make it trivial enough that they move along to the next site. Travis Doherty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
