Re: How to prevent direct access..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Chuck wrote:

I have a php file that produces an image and is only referred to from
an img tag like so:

<img src="getRandImage.php">

I want to prevent anyone from directly accessing the getRandImage.php
file. The file has to be world readable or the image will not display.
I played around with testing $_SERVER['HTTP_REFERER'] using regular
expressions but the above image tag appears in the default splash page
and there is no http referer set when they first visit the site. (also
ran into some IE quirkiness as well) I played around with putting
getRandImage.php into a subdirectory that is only viewable by the user
the web server is running as and the image also would not appear. I
couldn't figure out a way to embed this into a function that could be
hidden in a non-world readable subdirectory -- which would be my
preferred approach. (Is there a way to call a php function that
returns an image from within an img tag, instead of calling a php
file?)

I can easily check http request type but the img tag is doing a GET
request which is also what request type is used if they try and
directly access the URL.

I'm sure its something simple I am overlooking. Maybe another $_SERVER
variable or something I can work with.

fyi: running php 5.2.5 and apache 2.2.

Thanks for any help..
/CC



I would do something like what Nathan said, but with a twist.
From the page with the anchor tag, I would use a unique value in the image URL, but I would store that value in my session, along with a timestamp of when it was generated.
Then, in the getRandImage.php script, I would check to see if the unique value in the session exists? if no, then boot them else then check to see if it is expired. if yes, boot them, else display random image and delete unique value and timestamp.
Then, it doesn't matter if they access the URL directly, if they do, they won't have a value in there session. Because the only place that the value gets set is in the original calling HTML page. 

--
Jim Lucas

   "Some men are born to greatness, some achieve greatness,
       and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
    by William Shakespeare

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux