Locking a PHP image from remote web pages

I'm generating an image using several PHP image routines:
imagecreatefromjpeg, imagejpeg, etc. The PHP file containing these
routines is meant to be included on web pages just like regular
images, such as: <img src="image.php">. So far, all this works
beautifully.

Where I'm stuck is that I'd like to keep other web sites from
including my image on remote web pages. I want the image to only
display when rendered on pages from my web server. I would like to
detect for any "remote" condition and then serve up an alternate
image. I have the code for this part, too, but I don't know what
condition to watch for.

I'm thinking something along the lines of using $HTTP_REFERER or
$SERVER_NAME, but can't seem to figure out how to make it work. The
image.php file will always detect that it's being run from my server.
It's the context that I would like to detect.

Thanks for any tips!!

re: Locking a PHP image from remote web pages

ieig-hp0b@spamex.com says...[color=blue]
> I'm generating an image using several PHP image routines:
> imagecreatefromjpeg, imagejpeg, etc. The PHP file containing these
> routines is meant to be included on web pages just like regular
> images, such as: <img src="image.php">. So far, all this works
> beautifully.
>
> Where I'm stuck is that I'd like to keep other web sites from
> including my image on remote web pages. I want the image to only
> display when rendered on pages from my web server.[/color]

Bundle your image creation routines inside a function in your image.php
file. Include the file and call the function when needed.

<?php include ("image.php"); ?>
<html>
......
<img src="<?php getImage($parameters_if_required); ?>">
......

GM

re: Locking a PHP image from remote web pages

ieig-hp0b@spamex.com (ywg) wrote in message news:<46a8a882.0403101943.77540081@posting.google. com>...[color=blue]
> I'm generating an image using several PHP image routines:
> imagecreatefromjpeg, imagejpeg, etc. The PHP file containing these
> routines is meant to be included on web pages just like regular
> images, such as: <img src="image.php">. So far, all this works
> beautifully.
>
> Where I'm stuck is that I'd like to keep other web sites from
> including my image on remote web pages. I want the image to only
> display when rendered on pages from my web server. I would like to
> detect for any "remote" condition and then serve up an alternate
> image. I have the code for this part, too, but I don't know what
> condition to watch for.
>
> I'm thinking something along the lines of using $HTTP_REFERER or
> $SERVER_NAME, but can't seem to figure out how to make it work. The
> image.php file will always detect that it's being run from my server.
> It's the context that I would like to detect.
>
> Thanks for any tips!![/color]

Google is your friend.

1. <http://www.google.com/search?q=php+hotlinking+images>
2. <http://www.google.com/search?q=site:webmasterworld%2Ecom+hotlinking+imag es>

--
"I don't believe in the God who doesn't give me food, but shows me
heaven!"--Swami Vivekanandha
Email: rrjanbiah-at-Y!com

re: Locking a PHP image from remote web pages

ywg wrote:[color=blue]
> I'm generating an image using several PHP image routines:
> imagecreatefromjpeg, imagejpeg, etc. The PHP file containing these
> routines is meant to be included on web pages just like regular
> images, such as: <img src="image.php">. So far, all this works
> beautifully.
>
> I'm thinking something along the lines of using $HTTP_REFERER or
> $SERVER_NAME, but can't seem to figure out how to make it work. The
> image.php file will always detect that it's being run from my server.
> It's the context that I would like to detect.[/color]

You could simply look at the first part of $HTTP_REFERER or, for later
versions of php $_SERVER['HTTP_REFERER']. Return the correct image if
this matches your website name, an error if not.

However, the referer string is passed by the browser and cannot always
be relied on. Opera for example allows it to be turned off.

What I would do is to use sessions. In the top of your webpage set a
session variable and check it in the image script. By definition session
variables are locked to your website, external websites would find it
very difficult to manage to set a session variable (in fact the only way
is to hijack an existing correct session).

re: Locking a PHP image from remote web pages

On 10 Mar 2004 19:43:54 -0800, ieig-hp0b@spamex.com (ywg) wrote:
[color=blue]
>I'm generating an image using several PHP image routines:
>imagecreatefromjpeg, imagejpeg, etc. The PHP file containing these
>routines is meant to be included on web pages just like regular
>images, such as: <img src="image.php">. So far, all this works
>beautifully.
>
>Where I'm stuck is that I'd like to keep other web sites from
>including my image on remote web pages. I want the image to only
>display when rendered on pages from my web server. I would like to
>detect for any "remote" condition and then serve up an alternate
>image. I have the code for this part, too, but I don't know what
>condition to watch for.
>
>I'm thinking something along the lines of using $HTTP_REFERER or
>$SERVER_NAME, but can't seem to figure out how to make it work. The
>image.php file will always detect that it's being run from my server.
>It's the context that I would like to detect.
>
>Thanks for any tips!![/color]


The easy answer is you can't do this reliably...

Some browsers won't have the $HTTP_REFERER set due to
firewall/antivirus software. You'll need to allow these browsers to
display the proper image as they may be legitimate visitors. Where
the referrer is set, you can check that it is as you would expect for
the page and if not then serve up the alternative image.

It won't be 100% but it will be better than nothing.

Would this work?

Use sessions to hold an 'unlock' key for the image which is only only
available for that session - assuming your image is contained in a php
page:

1) Set a session variable to a random value.
2) Write this value into the tag:
<img src="image.php?key=<?php echo $_SESSION['key']">
3) in image.php, check that the value for $_GET['key'] is the same as
the one in the session and if it isn't then it's being leeched.

re: Locking a PHP image from remote web pages

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ywg wrote:[color=blue]
> Where I'm stuck is that I'd like to keep other web sites from
> including my image on remote web pages. I want the image to only
> display when rendered on pages from my web server. I would like to
> detect for any "remote" condition and then serve up an alternate
> image. I have the code for this part, too, but I don't know what
> condition to watch for.[/color]

- From my progress bar demo (http://db.org/demo/progress-demo.php)

if(isset($_SERVER['HTTP_REFERER'])) {
$referer = parse_url($_SERVER['HTTP_REFERER']);
if($referer['host'] != $_SERVER['HTTP_HOST']) {
/* send alternate image here */
exit;
}
}

This will not stop hot-linking for users that does not send
the Referer: header, but a web site that only works for such
users is unlikely...


Bob
-----BEGIN PGP SIGNATURE-----
Comment: B. Johannessen <bob@db.org> - http://db.org/contact/en/

iD8DBQFAUnpzooisUyMOFlgRAicLAJ9novHD7Z/7EilRj0cBbZ4Uifd3UwCfTJGx
5o0iX41L6U6yinxXzl7lRl8=
=elvv
-----END PGP SIGNATURE-----