Re: Preventing Access to Private Files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You could use PHP to read the file and send the proper image format header.

Your URL might look something like this:

http://www.yoursite.com/image.php?id=234

If you're worried about people hotlinking it in web forums or something, you 
can research 'hotlink protection'.  There's a million ways you could do it. 
 I don't know what the "best" common practice is, but it could involve 
something in the URL that indicates the ID # of the image plus a date/time 
so if someone tried to use the link more than like 10 seconds after the 
link was generated, it wouldn't load.

example:
http://www.yoursite.com/image.php?id=20070909150523234

So if someone tried to access the link after Sept 9, 2007, 3:05pm and 23 
seconds (+/- like 10 sec maybe) using the image id 234, it would fail.   
You could encode that number so it wasn't so obvious what it was.

You could also maybe look at the REFERRER to see what page linked to the 
image and if it's not one of your pages, block it.

Also, a common practice for using files without them being publicly 
accessible (outside the web server) would be to store the files in a path 
that's not available to the web server.

For example, if you have your files in:

/somepath/webroot/
/somepath/webroot/images    (for common public things like buttons, banner 
graphics, etc)
/somepath/webroot/docs       (for public documents like PDFs or something you 
want people to be able to download easily)

Store sensitive files in:

/somepath/includes       (included/required files that may contain stuff like 
database passwords and such)
/somepath/photos         (photos you don't want publicly available to be 
direct linked as you describe)

The web server software has access to certain directories, but PHP itself can 
have access to things outside the main web folders.

Just some thoughts.  Good luck!

-TG

----- Original Message -----
From: Stephen <stephen-d@xxxxxxxxxx>
To: php-general@xxxxxxxxxxxxx
Date: Thu, 6 Sep 2007 16:03:52 -0400 (EDT)
Subject:  Preventing Access to Private Files

> I understand how to use PHP with MySQL to have a
> members table to validate passwords. And to limit the
> generation of "member" pages to members only.
> 
> But what about photographs? If someone knows the
> complete URL they could view it directly, unless the
> directory is protected using .htpassword
> 
> But I don't want to have passwords in two places, nor
> muck with the password file everytime a new member
> joins.
> 
> Suggestions?
> 
> Thanks
> Stephen
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux