Re: How to prevent direct access..

Chuck wrote:
I have a php file that produces an image and is only referred to from
an img tag like so:

<img src="getRandImage.php">

I want to prevent anyone from directly accessing the getRandImage.php
file. The file has to be world readable or the image will not display.
I played around with testing $_SERVER['HTTP_REFERER'] using regular
expressions but the above image tag appears in the default splash page
and there is no http referer set when they first visit the site. (also
ran into some IE quirkiness as well) I played around with putting
getRandImage.php into a subdirectory that is only viewable by the user
the web server is running as and the image also would not appear. I
couldn't figure out a way to embed this into a function that could be
hidden in a non-world readable subdirectory -- which would be my
preferred approach. (Is there a way to call a php function that
returns an image from within an img tag, instead of calling a php
file?)

I can easily check http request type but the img tag is doing a GET
request which is also what request type is used if they try and
directly access the URL.

I'm sure its something simple I am overlooking. Maybe another $_SERVER
variable or something I can work with.

fyi: running php 5.2.5 and apache 2.2.

Thanks for any help..
/CC

Pass the session_id in the url..
<img src="getRandImage.php?img=SESSION_ID_HERE" />

then in the php
<?php
if(isset($_GET['img']) && $_GET['img'] == session_id()) {
#code to show image
}
?>

you can ultra harden it by putting a destroy session code in that block aswell, meaning they can only single access the file.

alternatively (and a bit harder on the machine)
have the index.php script create a php on the fly based on session_id or something ie: 3h238bc98da9e0a880237d7c8ef09.php
and have that script echo out the image and delete itself once the image has been sent to the buffer (ob_* and flush())

:)
.

Relevant Pages

  • Re: [PHP] Couple of beginner questions
    ... The custom tag will expand the path to wherever the images directory was ... It's a pain in the ass overriding a CSS rule that was ... wherever I can't simply redefine the html tag. ... infact ideally an html tag should never be seen in a php script ...
    (php.general)
  • Re: [PHP] Buxa Coding Guidelines
    ... The point of including PHP tags inside of an "XHTML" file is that it isn't really XHTML until PHP has parsed it for its own instructions. ... I use PHP to build my HTML, ... If you're using Zend or a template engine and your scripts do not contain anything other than PHP then you *should not* include the closing tag. ... Say i turn an existing HTML file into a PHP script and add some instructions somewhere within the middle of the body. ...
    (php.general)
  • How to prevent direct access..
    ... I have a php file that produces an image and is only referred to from ... expressions but the above image tag appears in the default splash page ... I can easily check http request type but the img tag is doing a GET ...
    (php.general)
  • Re: Starting with JSP files
    ... Im used to PHP, so im used to the PHP opening tag and the php closing ... I was hoping that it was more like php, just create a,jsp file and put ... JSP can also output XML but I'd have to look up the ...
    (comp.lang.java.advocacy)
  • Re: [PHP] How to prevent direct access..
    ... expressions but the above image tag appears in the default splash page ... I can easily check http request type but the img tag is doing a GET ... From the page with the anchor tag, I would use a unique value in the image URL, but I would store that value in my session, along with a timestamp of when it was generated. ... "Some men are born to greatness, some achieve greatness, ...
    (php.general)