Chuck wrote:
I have a php file that produces an image and is only referred to from
an img tag like so:
<img src="getRandImage.php">
I want to prevent anyone from directly accessing the getRandImage.php
file. The file has to be world readable or the image will not display.
I played around with testing $_SERVER['HTTP_REFERER'] using regular
expressions but the above image tag appears in the default splash page
and there is no http referer set when they first visit the site. (also
ran into some IE quirkiness as well) I played around with putting
getRandImage.php into a subdirectory that is only viewable by the user
the web server is running as and the image also would not appear. I
couldn't figure out a way to embed this into a function that could be
hidden in a non-world readable subdirectory -- which would be my
preferred approach. (Is there a way to call a php function that
returns an image from within an img tag, instead of calling a php
file?)
I can easily check http request type but the img tag is doing a GET
request which is also what request type is used if they try and
directly access the URL.
I'm sure its something simple I am overlooking. Maybe another $_SERVER
variable or something I can work with.
fyi: running php 5.2.5 and apache 2.2.
Thanks for any help..
/CC
Pass the session_id in the url..
<img src="getRandImage.php?img=SESSION_ID_HERE" />
then in the php
<?php
if(isset($_GET['img']) && $_GET['img'] == session_id()) {
#code to show image
}
?>
you can ultra harden it by putting a destroy session code in that block
aswell, meaning they can only single access the file.
alternatively (and a bit harder on the machine)
have the index.php script create a php on the fly based on session_id or
something ie: 3h238bc98da9e0a880237d7c8ef09.php
and have that script echo out the image and delete itself once the image
has been sent to the buffer (ob_* and flush())
:)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
