Re: [PHP] images outside of document root

[Keith Greene]

I use a system like that described below, however I added some checks to 
thwart attack.
first, the image serving script checks to make sure the user has a session 
id. This prevents people just loading the script to get the images, and 
also deters hot linking.
second, I have a script that runs once an hour and generates a random word 
and saves it to a text file. That file is read by the page that calls the 
image serving script, and the word contained within is md5 hashed, then 
passed to the image serving script like this:
<img src='imgserv.php?i=joe.jpg&h=fc5e038d38a57032085441e7fe7010b0' border=0>

the image serving script then loads the same text file, hashes the word 
within and compares the hashes. If they don't match, the link is over an 
hour old and the image isn't served.

I know there are circumstances where an image can be hotlinked and 
viewable, but the hotlink only works for an hour, and only for people who 
have actually visited my site during their current browser session, and 
this I can live with.

Keith
At 01:20 PM 7/6/2004, Dennis Gearon wrote:
I may do that, but the 'showimage.php' file then has to be in the document 
root, and can be attacked a LOT.

I have found ways to do inline images, without javascript, I believe.
Curt Zirzow <[EMAIL PROTECTED]> wrote:
* Thus wrote Dennis Gearon:
I want to keep an entire library OUTSIDE of the document root. The 
library includes some imgages. How can I have the browser include the imageges?
I've hard of BASE64'ing the images into the header and decoding them 
using javascript. Is this the best way? Where is code to do that?

no, its probably the worst way.
To have the browser reference images outside the document root
you'll have to create a php wrapper function that decides on what
to do:
<img src="/showimage.php?file=foobar.jpg">
showimage.php:
<?php
$file = $_GET['file'];
// authentication if needed...
// check for valid file, etc..
header('Content-Type: image/jpeg'); // send right content type
readfile($path_outside_docroot . $file);
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php