By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
444,225 Members | 2,170 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 444,225 IT Pros & Developers. It's quick & easy.

password-protection

P: n/a
Wm
Something just occurred to me... <yeah, I know, it scared me too> I just
password-protected a website by including a password authentication script
in each page of a private section. The script checks the login against the
mySQL database. This type of protection will only affect the .php pages,
won't it? The images that are contained in the pages are not protected, as
they would be if I had a .htaccess file on the parent directory..? This
method will not protect me from people hot-linking images from my directory
and calling them directly, will it? What is the "best" way of protecting
the entire directory, both pages AND images?

Thanx,
Wm

Jul 17 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a

This type of protection will only affect the .php pages,
won't it? The images that are contained in the pages are not protected, as they would be if I had a .htaccess file on the parent directory..?


You're right. Use .htaccess.
Jul 17 '05 #2

P: n/a
> Something just occurred to me... <yeah, I know, it scared me too>
I just password-protected a website by including a password
authentication script in each page of a private section. The
script checks the login against the mySQL database. This type of
protection will only affect the .php pages, won't it?
Indeed.
The images that are contained in the pages are not protected, as
they would be if I had a .htaccess file on the parent
directory..? This method will not protect me from people
hot-linking images from my directory and calling them directly,
will it? What is the "best" way of protecting the entire
directory, both pages AND images?


Probably an .htaccess file.
--
SeeSchloß - http://www.seeschloss.net

Jul 17 '05 #3

P: n/a

"Wm" <LA*******@hotmail.com> wrote in message
news:xN**********************@news.easynews.com...
Something just occurred to me... <yeah, I know, it scared me too> I just
password-protected a website by including a password authentication script
in each page of a private section. The script checks the login against the
mySQL database. This type of protection will only affect the .php pages,
won't it? The images that are contained in the pages are not protected, as they would be if I had a .htaccess file on the parent directory..? This
method will not protect me from people hot-linking images from my directory and calling them directly, will it? What is the "best" way of protecting
the entire directory, both pages AND images?

Thanx,
Wm


I totally agree that .htaccess is the right way to go. However, if that is
not available to you or you have other reasons not to use it, a method I
have used to protect HTML and other downloadable files (e.g., a Word
Document) is to store the sensitive material in a directory that is not
accessible to web browsers. Under Apache, anything on the same directory
level as /htdocs will work, such as /etc or /cgi-bin. Then your protected
PHP script (which can reach into other directories besides the
web-accessible ones) obtains the document and makes it available to the
user, either immediately through the fpassthru() or readfile() functions
(for text and HTML files), or by setting up a download action via header()
statements to send binary files. Look up help topics in "file download" on
PHP websites for more info.

Note that the latter technique can be directly applied to images on your
page if you write a PHP script that grabs the desired image and sends it to
stdout, setting the appropriate header() elements to let the browser know
that an image is "on the way". Then you use the image tag in your original
php/html file to point to this "image script" file in the "src=" attribute,
e.g.,

<img src="get_my_image.php?image_id=4">

Since the <img> tag lives within your protected php file, and your image
file (whatever corresponds to image_id=4) resides outside the web directory,
this will only provide the image to someone with access to your original
page.

Douglas Abernathy
Jul 17 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.