Web Design Forum HTML CSS JavaScript PHP Graphic Design SEO forum
hide image source with php - Printable Version

+- Web Design Forum HTML CSS JavaScript PHP Graphic Design SEO forum (http://www.webdesignforum.com.au)
+-- Forum: Web and Graphic Design (/forumdisplay.php?fid=1)
+--- Forum: Programming (/forumdisplay.php?fid=10)
+--- Thread: hide image source with php (/showthread.php?tid=124)



hide image source with php - justinOrel - 01-12-2011 10:54 AM

Is there a way to hide image url with PHP? I basically need an image passed to a flash application and I don't want to give out the image URL

I found this script [url=http://www.bounmis.com/en/PHP/How_To_Hide_Image_Source.html]
it does work but seems a bit crap since it essentially converts an image to jpeg
Any better solutions?


RE: hide image source with php - petermoses - 02-04-2011 03:50 PM

use this script:

if ($_SERVER["HTTP_REFERER"] != "") {
$image = $_GET["my_image_path"];
header ("Content-Type: application/octet-stream");
$fp = fopen($image,"r");
echo fpassthru($fp);
} else {
header('Location: $GO_SOMEWHERE');
}


RE: hide image source with php - justinOrel - 02-04-2011 03:53 PM

Hello,

I was also trying to hide my photo download path from browsers.

This header method seems to be a good way to do it but I have found a big hole and cannot find a way to plug it.

What I'm doing is this: to prevent hotlinking to my photos, I want to totally hide their path (folder has a crazy name). I call each photo with something like display.php?id=photoid. But doing this, anybody could easily type in their browser the exact same thing and hotlink to the photos without actually knowing their path by calling the php, so hiding the path that way would not be very useful.

So what I do against that is that I pass a session value and in the display.php file I test for that session value before sending the right header. That session value has been set by another php script. So what I'm doing is make sure that the photo is displayed only if display.php has been called by that other script. This prevents hotlinking. The display.php will unset that session value when sending the photo in the header.

So that works well, it hides the path, and prevents hotlinking as well.

BUT, here's where the hole is:
With a browser, I try to type directly display.php?id=photoid. Of course it works as expected, and doesn't display the photo. Now I go through the website to display the photo normally. It works and displays the photo. Now, because of memory cache, by trying to retype the direct address in the browser or with a right combination of back/forward, I will be able to display the photo directly in the browser even though it is forbidden. The browser will simply pull the photo out of the cache(even though I sent all the necessary headers to prevent caching).

But what is even worse, is that doing this, it will display in the location bar not "display.php?id=photoid" as it would if calling it directly was allowed but curiously the *full* path of the photo, revealing the directory name on the server.

Now I'm trying to find a way to prevent that. If I stop the session variable check then the photo will be displayed without interdiction. The path will *not* be revealed then, but hotlinking will be possible....

I hope I didn't put everyone to sleep with all the verbose Smile


RE: hide image source with php - torontoairporttaxi - 03-25-2012 02:36 AM

thanks for the useful code


RE: hide image source with php - jackkelly - 08-07-2012 10:08 PM

thanks for this post u have shared here.


RE: hide image source with php - kavinpeters - 08-30-2012 11:55 PM

this is very cool and helpful post for me