You could use PHP to read the file and send the proper image format header. Your URL might look something like this: http://www.yoursite.com/image.php?id=234 If you're worried about people hotlinking it in web forums or something, you can research 'hotlink protection'. There's a million ways you could do it. I don't know what the "best" common practice is, but it could involve something in the URL that indicates the ID # of the image plus a date/time so if someone tried to use the link more than like 10 seconds after the link was generated, it wouldn't load. example: http://www.yoursite.com/image.php?id=20070909150523234 So if someone tried to access the link after Sept 9, 2007, 3:05pm and 23 seconds (+/- like 10 sec maybe) using the image id 234, it would fail. You could encode that number so it wasn't so obvious what it was. You could also maybe look at the REFERRER to see what page linked to the image and if it's not one of your pages, block it. Also, a common practice for using files without them being publicly accessible (outside the web server) would be to store the files in a path that's not available to the web server. For example, if you have your files in: /somepath/webroot/ /somepath/webroot/images (for common public things like buttons, banner graphics, etc) /somepath/webroot/docs (for public documents like PDFs or something you want people to be able to download easily) Store sensitive files in: /somepath/includes (included/required files that may contain stuff like database passwords and such) /somepath/photos (photos you don't want publicly available to be direct linked as you describe) The web server software has access to certain directories, but PHP itself can have access to things outside the main web folders. Just some thoughts. Good luck! -TG ----- Original Message ----- From: Stephen <stephen-d@xxxxxxxxxx> To: php-general@xxxxxxxxxxxxx Date: Thu, 6 Sep 2007 16:03:52 -0400 (EDT) Subject: Preventing Access to Private Files > I understand how to use PHP with MySQL to have a > members table to validate passwords. And to limit the > generation of "member" pages to members only. > > But what about photographs? If someone knows the > complete URL they could view it directly, unless the > directory is protected using .htpassword > > But I don't want to have passwords in two places, nor > muck with the password file everytime a new member > joins. > > Suggestions? > > Thanks > Stephen > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
