By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
454,729 Members | 1,386 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 454,729 IT Pros & Developers. It's quick & easy.

Hiding image filenames

P: n/a
I have a PHP script which generates responses to answers submitted by a
form. The responses contain links to images. I'd like to stop users
guessing the names of other images and viewing them. I know I could use
random unguessable filenames, but I wondered if there was a more elegant
solution using PHP?

I know I can reference a php script in an img tag, and pass in a
parameter to specify which image to return, and I can use $HTTP_REFERER
to check that the script is being invoked by my page only. But the PHP
manual warns that this is set by the browser and cannot be relied upon.

So, is there a better solution?
--
Steve Loft
Jul 17 '05 #1
Share this Question
Share on Google+
9 Replies


P: n/a
Steve Loft wrote:
I know I can reference a php script in an img tag, and pass in a
parameter to specify which image to return, and I can use $HTTP_REFERER
to check that the script is being invoked by my page only. But the PHP
manual warns that this is set by the browser and cannot be relied upon.

So, is there a better solution?


You might want to use session variables.

On a script somewhere, set, for instance

$_SESSION['images'] = array(1, 4, 19, 55); // maybe you prefer names

to view a image put the script in the img tag

<img src="image.php?id=19">

and in image.php check that the id passed as a parameter to image.php is
set in the $_SESSION['images'] array.

So, if the user want to get cute and try image.php?id=13 nothing will
show (or display a error message, or a blank picture, ...)
--
USENET would be a better place if everybody read: : mail address :
http://www.catb.org/~esr/faqs/smart-questions.html : is valid for :
http://www.netmeister.org/news/learn2quote2.html : "text/plain" :
http://www.expita.com/nomime.html : to 10K bytes :
Jul 17 '05 #2

P: n/a
"Steve Loft" <st***@nybbles.co.uk> wrote in message
news:vm************@nybbles.co.uk...
I have a PHP script which generates responses to answers submitted by a
form. The responses contain links to images. I'd like to stop users
guessing the names of other images and viewing them. I know I could use
random unguessable filenames, but I wondered if there was a more elegant
solution using PHP?

I know I can reference a php script in an img tag, and pass in a
parameter to specify which image to return, and I can use $HTTP_REFERER
to check that the script is being invoked by my page only. But the PHP
manual warns that this is set by the browser and cannot be relied upon.

So, is there a better solution?


Use a session variable to store a list of image names. Your PHP script will
add the file names that the user can see at the given stage. The script that
outputs the image will check this list to keep the user from getting ahead
of himself.

In your response script:

// images viewable at each particular step
$image_lists = array(
1 => array('cow1.gif', 'cow2.gif'),
2 => array('cow3.gif', 'cow4.gif'),
3 => array('cow5.gif', 'beef.gif')
);

$_SESSION['cow_pix'] = @array_merge($_SESSION['cow_pix'],
$image_lists[$step]);

In the image script:

$filename = $_GET['img'];

if(@in_array($filename, $_SESSION['cow_pix'])) {
header("Content-type: image/cow");
readfile("$IMAGE_PATH/$filename");
}
else {
header("HTTP/1.0 404 Not found");
}
Jul 17 '05 #3

P: n/a
Chung Leong wrote:
Use a session variable to store a list of image names. Your PHP script will
add the file names that the user can see at the given stage. The script that
outputs the image will check this list to keep the user from getting ahead
of himself.


That's great. Thanks to both you and Pedro for the suggestion, it's perfect.

--
Steve Loft
Jul 17 '05 #4

P: n/a
I wrote:
That's great. Thanks to both you and Pedro for the suggestion, it's
perfect.


Except I'm having trouble getting it working. I decided to use the
following method: The name of the current image to be displayed is
stored in a session variable, then the script which displays the image
just uses the session variable to fetch the file.

My first script has this at the start:

<?php
session_start();
$_SESSION['imagename']= "../../hidden_files/default.jpg";

Then, later, in the path where I decide which image the user is going to
see, I do this:

$_SESSION['imagename']= "../../hidden_files/images/1tree.jpg";

and inside the HTML which follows I have:

<img src="images.php" />

The images.php file looks like this:

<?php
session_start()
$im =imagecreatefromjpeg($_SESSION["imagename"]);
imagejpeg($im);
?>

But the image doesn't get displayed. The session_start() seems to screw
things up. If I put the actual filename in the images.php script instead
of using the session variable, it still doesn't work until I remove the
session_start().

What am I doing wrong, please?
--
Steve Loft
Jul 17 '05 #5

P: n/a

"Steve Loft" <st***@nybbles.co.uk> ???????/???????? ? ???????? ?????????:
news:1m************@nybbles.co.uk...
I wrote:
That's great. Thanks to both you and Pedro for the suggestion, it's
perfect.


Except I'm having trouble getting it working. I decided to use the
following method: The name of the current image to be displayed is
stored in a session variable, then the script which displays the image
just uses the session variable to fetch the file.

My first script has this at the start:

<?php
session_start();
$_SESSION['imagename']= "../../hidden_files/default.jpg";

Then, later, in the path where I decide which image the user is going to
see, I do this:

$_SESSION['imagename']= "../../hidden_files/images/1tree.jpg";

and inside the HTML which follows I have:

<img src="images.php" />

The images.php file looks like this:

<?php
session_start()
$im =imagecreatefromjpeg($_SESSION["imagename"]);
imagejpeg($im);
?>

But the image doesn't get displayed. The session_start() seems to screw
things up. If I put the actual filename in the images.php script instead
of using the session variable, it still doesn't work until I remove the
session_start().

What am I doing wrong, please?
--
Steve Loft


Try next code
<?php
session_start()header("Content-type:
image/jpeg");readfile($_SESSION["imagename"]);?>
Jul 17 '05 #6

P: n/a
I wrote:
<?php
session_start()
$im =imagecreatefromjpeg($_SESSION["imagename"]);
imagejpeg($im);
?>


Whoops. Missing semicolon! Works fine now :)
--
Steve Loft
Jul 17 '05 #7

P: n/a
Dennis Biletsky wrote:

Try next code
<?php
session_start()header("Content-type:
image/jpeg");readfile($_SESSION["imagename"]);?>


Yes, that works too - with the missing semicolon added!

And now it all works wonderfully, except that when I disable cookies and
use the URL to pass the session ID, the images stop being displayed
again. Any ideas, anyone?

--
Steve Loft
Jul 17 '05 #8

P: n/a
I wrote:
And now it all works wonderfully, except that when I disable cookies and
use the URL to pass the session ID, the images stop being displayed
again. Any ideas, anyone?


After staring at it for hours, I finally realised that PHP doesn't
automatically add the session ID parameter to img tags. Having put it in
manually using SID, it all works fine with and without cookies.
--
Steve Loft
Jul 17 '05 #9

P: n/a
Steve Loft <st***@nybbles.co.uk> wrote in message news:<lo************@nybbles.co.uk>...
I wrote:
And now it all works wonderfully, except that when I disable cookies and
use the URL to pass the session ID, the images stop being displayed
again. Any ideas, anyone?


After staring at it for hours, I finally realised that PHP doesn't
automatically add the session ID parameter to img tags. Having put it in
manually using SID, it all works fine with and without cookies.


No need to hard code. Just use "url_rewriter.tags" with ini_set()
<http://in.php.net/ini_set>

--
http://www.sendmetoindia.com - Send Me to India!
Email: rrjanbiah-at-Y!com
Jul 17 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.