How to protect images without htaccess using PHP

frznmnky

New Member
Messages
326
Reaction score
0
Points
0
On numerous occassions I have been asked how to serve images from a non-web accessible directory. A lot of sites now a days sell content and with the latest in php technologies like sessions and such, people like to use session management and authentication on their websites, without using .htaccess files in their directory. The easiest solution to protecting images is by reading them from a directory outside the document root on the webserver and serving it to another php script. This helps in two ways.
1. People cannot link directly to your images via a URL.
2. You can use another script to serve the image and make people login to view the image as well you could use your own html design dynamically around the image.

This is actually a pretty simple technique to use on your sites. First you will create a php script that will print the appropriate header out and then serve the image. Let's call the first script readimage.php.

/* This script takes a variable named $path strips off the last 3 characters to see what the extension is,
and processes it accordingly */
$extension = substr($path, -3);
if($extension == "jpg"){
header("Content-type: image/jpeg");
}elseif($extension == "gif"){
header("Content-type: image/gif");
}
/* YOU COULD ADD MORE HERE TO SEND ERRORS IF YOU RECEIVE A WEIRD IMAGE TYPE! */
readfile("$path");
?>

That is all there is to reading the image. There are a couple other things we could do here. One of the main problems is that you have to pass an entire path to this script...

/home/yourname/images/img.jpg

Obviously there could be some security concerns with a situation like this, so what I normally do is put a base path in the script:

$base_path = "/home/yourname/";
$path = $base_path.$path;

Here is how this could help hide the location of your images. Without the base path in the script you would call the script like this:

readimage.php?path=/home/yourname/images/img.jpg

When you add the base path variable to the script you can call the script like this:

readimage.php?path=images/img.jpg

Now I am sure you are wondering to yourself, but how could I protect that and make the image displayed in my own html page so that it can have customized content around it also? First lets start off with a simple php script that is named showcontent.php


/* showcontent.php */
/* You could put your authentication here to make sure users can view the image! */
?>

I am sure all of you are looking at the above and are thinking, why does that have to be php? Well realistically it doesn't , but if you want to add security to the page so that everyone cannot view it, you could use this type of setup and just include your authentication class or whatever you use for security. By developing something like this you could really make the showcontent page a perl script, php, asp or whatever you want as long as your server can also parse php documents as it will need to for the readimage.php.

I hope this helped you understand how to serve images using php. With the examples I gave above, there is really no limitation on what you can do to protect images, this is just one simple way that could be up and running in no time.
 
Top