eric, thanks for taking time to explain this. -nathan On 7/26/07, Eric Butera <eric.butera@xxxxxxxxx> wrote:
On 7/26/07, Nathan Nobbe <quickshiftin@xxxxxxxxx> wrote: > eric, > > ive seen this technique mentioned once or twice on the list now; do you know > of an article online > you could share that explains it? > > -nathan > > > On 7/26/07, Eric Butera <eric.butera@xxxxxxxxx> wrote: > > > > On 7/26/07, elk dolk <elkdolk@xxxxxxxxx> wrote: > > > Hi all, > > > > > > I want to hide the real URL to my images by masking it with PHP > > > the code looks like this: > > > > > > $query = "SELECT * FROM table"; > > > $result=mysql_query($query); > > > > > > while ($row = mysql_fetch_array($result)) > > > { > > > echo "<img src=' > http://www.mysite.com/img/{$FileName}'/>"; > > > } > > > > > > if you look at the source in browser you will see: > > > > > > <img src='http://www.mysite.com/img/111.jpg ' /> > > > > > > how can I show it like this: > > > > > > <img src='show.php?FileName=111.jpg' /> > > > > > > > > > > > > --------------------------------- > > > Luggage? GPS? Comic books? > > > Check out fitting gifts for grads at Yahoo! Search. > > > > If you use $_SERVER['REQUEST_URI'] you can do all sorts of interesting > things. > > > > Say for instance you create a directory at the root of your site > > called /images and put an index.php in there. Then inside of that > > index.php you can parse the REQUEST_URI against some settings you'd > > like and create your own sort of mod_rewrite rules out of it. > > > > Here is an example: > > <?php > > var_dump($_SERVER['REQUEST_URI']); > > > > $matches = array(); > > $result = preg_match('/([0-9]+).jpg$/D', $_SERVER['REQUEST_URI'], > $matches); > > if ($result == true) { > > echo 'Requested image: '. $matches[1]; > > } > > ?> > > > > You can translate that 1111 to your image via a database call such as > > SELECT imagename FROM hiddenimages WHERE id = 1111 or whatever you > > want. People can still directly link to your images using this > > technique. > > > > Given that, you might also reconsider why you are hiding your image > > filenames. Are you trying to protect them from unauthorized viewing? > > If that is the case you can use the real filenames, but pass them > > through a script that checks for a session set to you know that only > > authenticated users can see them. > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > Hi Nathan, There really isn't much to explain about it other than the fact that Apache will give you the raw user input that is sent to it in REQUEST_URI. Usually if a user is just clicking around it will be the current page you are on. Since we know that it will give us any user supplied value to it, we can play around with those values by generating any sort of URL we want. If you create a file called blah.php and stick it in a web directory somewhere then you might access it like this: http://localhost/blah.php/?/hello Here is the contents of blah.php: <?php var_dump($_SERVER['REQUEST_URI']); ?> Here is the output: string '/blah.php/?/hello' (length=17) A few other urls: http://localhost/blah.php/sometext http://localhost/blah.php/?/category-23/item-164 Results: string '/blah.php/sometext' (length=18) string '/blah.php/?/category-23/item-164' (length=32) If you replace blah.php with an index.php then you can have a cleaner URL at the cost of not being able to use the $_GET superglobal. If we were to try http://localhost/blah/somefile/111.jpg we would get a 404 error. To get around this you can add a query string in the url and it works again. That is why you cannot use $_GET variables. If you create a /blah directory and place an index.php in there you can do this: http://localhost/blah/?/somefile/111.jpg Output: $_SERVER['REQUEST_URI']: string '/blah/?/somefile/111.jpg' (length=24) $_GET: array '/somefile/111_jpg' => string '' (length=0) So there are some tradeoffs with something like this. It leads to a cleaner url that you can easily parse with any preg_match. I only use it in specific instances where I know that I'm only going to need something like the 12 and 2 from /gallery/category-12/item-2.