"Wm" <LA*******@hotmail.com> wrote in message
news:xN**********************@news.easynews.com...
Something just occurred to me... <yeah, I know, it scared me too> I just
password-protected a website by including a password authentication script
in each page of a private section. The script checks the login against the
mySQL database. This type of protection will only affect the .php pages,
won't it? The images that are contained in the pages are not protected,
as they would be if I had a .htaccess file on the parent directory..? This
method will not protect me from people hot-linking images from my
directory and calling them directly, will it? What is the "best" way of protecting
the entire directory, both pages AND images?
Thanx,
Wm
I totally agree that .htaccess is the right way to go. However, if that is
not available to you or you have other reasons not to use it, a method I
have used to protect HTML and other downloadable files (e.g., a Word
Document) is to store the sensitive material in a directory that is not
accessible to web browsers. Under Apache, anything on the same directory
level as /htdocs will work, such as /etc or /cgi-bin. Then your protected
PHP script (which can reach into other directories besides the
web-accessible ones) obtains the document and makes it available to the
user, either immediately through the fpassthru() or readfile() functions
(for text and HTML files), or by setting up a download action via header()
statements to send binary files. Look up help topics in "file download" on
PHP websites for more info.
Note that the latter technique can be directly applied to images on your
page if you write a PHP script that grabs the desired image and sends it to
stdout, setting the appropriate header() elements to let the browser know
that an image is "on the way". Then you use the image tag in your original
php/html file to point to this "image script" file in the "src=" attribute,
e.g.,
<img src="get_my_image.php?image_id=4">
Since the <img> tag lives within your protected php file, and your image
file (whatever corresponds to image_id=4) resides outside the web directory,
this will only provide the image to someone with access to your original
page.
Douglas Abernathy