On 7/26/07, Nathan Nobbe <quickshiftin@xxxxxxxxx> wrote:
eric,
ive seen this technique mentioned once or twice on the list now; do you know
of an article online
you could share that explains it?
-nathan
On 7/26/07, Eric Butera <eric.butera@xxxxxxxxx> wrote:
>
> On 7/26/07, elk dolk <elkdolk@xxxxxxxxx> wrote:
> > Hi all,
> >
> > I want to hide the real URL to my images by masking it with PHP
> > the code looks like this:
> >
> > $query = "SELECT * FROM table";
> > $result=mysql_query($query);
> >
> > while ($row = mysql_fetch_array($result))
> > {
> > echo "<img src='
http://www.mysite.com/img/{$FileName}'/>";
> > }
> >
> > if you look at the source in browser you will see:
> >
> > <img src='http://www.mysite.com/img/111.jpg ' />
> >
> > how can I show it like this:
> >
> > <img src='show.php?FileName=111.jpg' />
> >
> >
> >
> > ---------------------------------
> > Luggage? GPS? Comic books?
> > Check out fitting gifts for grads at Yahoo! Search.
>
> If you use $_SERVER['REQUEST_URI'] you can do all sorts of interesting
things.
>
> Say for instance you create a directory at the root of your site
> called /images and put an index.php in there. Then inside of that
> index.php you can parse the REQUEST_URI against some settings you'd
> like and create your own sort of mod_rewrite rules out of it.
>
> Here is an example:
> <?php
> var_dump($_SERVER['REQUEST_URI']);
>
> $matches = array();
> $result = preg_match('/([0-9]+).jpg$/D', $_SERVER['REQUEST_URI'],
$matches);
> if ($result == true) {
> echo 'Requested image: '. $matches[1];
> }
> ?>
>
> You can translate that 1111 to your image via a database call such as
> SELECT imagename FROM hiddenimages WHERE id = 1111 or whatever you
> want. People can still directly link to your images using this
> technique.
>
> Given that, you might also reconsider why you are hiding your image
> filenames. Are you trying to protect them from unauthorized viewing?
> If that is the case you can use the real filenames, but pass them
> through a script that checks for a session set to you know that only
> authenticated users can see them.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Hi Nathan,
There really isn't much to explain about it other than the fact that
Apache will give you the raw user input that is sent to it in
REQUEST_URI. Usually if a user is just clicking around it will be the
current page you are on.
Since we know that it will give us any user supplied value to it, we
can play around with those values by generating any sort of URL we
want.
If you create a file called blah.php and stick it in a web directory
somewhere then you might access it like this:
http://localhost/blah.php/?/hello
Here is the contents of blah.php:
<?php
var_dump($_SERVER['REQUEST_URI']);
?>
Here is the output:
string '/blah.php/?/hello' (length=17)
A few other urls:
http://localhost/blah.php/sometext
http://localhost/blah.php/?/category-23/item-164
Results:
string '/blah.php/sometext' (length=18)
string '/blah.php/?/category-23/item-164' (length=32)
If you replace blah.php with an index.php then you can have a cleaner
URL at the cost of not being able to use the $_GET superglobal. If we
were to try http://localhost/blah/somefile/111.jpg we would get a 404
error. To get around this you can add a query string in the url and
it works again. That is why you cannot use $_GET variables. If you
create a /blah directory and place an index.php in there you can do
this:
http://localhost/blah/?/somefile/111.jpg
Output:
$_SERVER['REQUEST_URI']: string '/blah/?/somefile/111.jpg' (length=24)
$_GET: array '/somefile/111_jpg' => string '' (length=0)
So there are some tradeoffs with something like this. It leads to a
cleaner url that you can easily parse with any preg_match. I only use
it in specific instances where I know that I'm only going to need
something like the 12 and 2 from /gallery/category-12/item-2.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
