hide image source with php
|
02-04-2011, 03:53 PM
Post: #3
|
|||
|
|||
RE: hide image source with php
Hello,
I was also trying to hide my photo download path from browsers. This header method seems to be a good way to do it but I have found a big hole and cannot find a way to plug it. What I'm doing is this: to prevent hotlinking to my photos, I want to totally hide their path (folder has a crazy name). I call each photo with something like display.php?id=photoid. But doing this, anybody could easily type in their browser the exact same thing and hotlink to the photos without actually knowing their path by calling the php, so hiding the path that way would not be very useful. So what I do against that is that I pass a session value and in the display.php file I test for that session value before sending the right header. That session value has been set by another php script. So what I'm doing is make sure that the photo is displayed only if display.php has been called by that other script. This prevents hotlinking. The display.php will unset that session value when sending the photo in the header. So that works well, it hides the path, and prevents hotlinking as well. BUT, here's where the hole is: With a browser, I try to type directly display.php?id=photoid. Of course it works as expected, and doesn't display the photo. Now I go through the website to display the photo normally. It works and displays the photo. Now, because of memory cache, by trying to retype the direct address in the browser or with a right combination of back/forward, I will be able to display the photo directly in the browser even though it is forbidden. The browser will simply pull the photo out of the cache(even though I sent all the necessary headers to prevent caching). But what is even worse, is that doing this, it will display in the location bar not "display.php?id=photoid" as it would if calling it directly was allowed but curiously the *full* path of the photo, revealing the directory name on the server. Now I'm trying to find a way to prevent that. If I stop the session variable check then the photo will be displayed without interdiction. The path will *not* be revealed then, but hotlinking will be possible.... I hope I didn't put everyone to sleep with all the verbose Web Designers Directory | Advertise Web Design Business | Website Design |
|||
« Next Oldest | Next Newest »
|
Messages In This Thread |
hide image source with php - justinOrel - 01-12-2011, 10:54 AM
RE: hide image source with php - petermoses - 02-04-2011, 03:50 PM
RE: hide image source with php - justinOrel - 02-04-2011 03:53 PM
RE: hide image source with php - torontoairporttaxi - 03-25-2012, 02:36 AM
RE: hide image source with php - jackkelly - 08-07-2012, 10:08 PM
RE: hide image source with php - kavinpeters - 08-30-2012, 11:55 PM
|
User(s) browsing this thread: 5 Guest(s)