469,963 Members | 1,248 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,963 developers. It's quick & easy.

is an image embedded in a webpage?

i've written a php script that generates images dynamically, via the
GD library. i now want to detect whether or not the image is embedded
within a homepage, or is being viewed by itself. at first, i thought
that whether or not HTTP_SERVER_VARS['REFERER'] was set, that it would
mean that the image was embedded, but that's not necessarily the case,
as it will also be set if it's just linked to from the webpage. so,
any ideas?
Jul 17 '05 #1
9 1964
yawnmoth wrote:
i've written a php script that generates images dynamically, via the
GD library. i now want to detect whether or not the image is embedded
within a homepage, or is being viewed by itself. at first, i thought
that whether or not HTTP_SERVER_VARS['REFERER'] was set, that it would
mean that the image was embedded, but that's not necessarily the case,
as it will also be set if it's just linked to from the webpage. so,
any ideas?


$_SESSION['embed_time'] = time();
echo '<img src="img.php">';
and in img.php

define('MAX_SECONDS_FOR_EMBEDDED_IMAGES', 10);
if (isset($_SESSION['embed_time']) &&
$_SESSION['embedded']+MAX_SECONDS_FOR_EMBEDDED_IMAGES < time()) {
// image is embedded
} else {
// image is not embedded
}

HTH
--
USENET would be a better place if everybody read: : mail address :
http://www.catb.org/~esr/faqs/smart-questions.html : is valid for :
http://www.netmeister.org/news/learn2quote2.html : "text/plain" :
http://www.expita.com/nomime.html : to 10K bytes :
Jul 17 '05 #2
"Pedro Graca" <he****@hotpop.com> wrote in message
news:2h************@uni-berlin.de...
yawnmoth wrote:
i've written a php script that generates images dynamically, via the
GD library. i now want to detect whether or not the image is embedded
within a homepage, or is being viewed by itself. at first, i thought
that whether or not HTTP_SERVER_VARS['REFERER'] was set, that it would
mean that the image was embedded, but that's not necessarily the case,
as it will also be set if it's just linked to from the webpage. so,
any ideas?


$_SESSION['embed_time'] = time();
echo '<img src="img.php">';
and in img.php

define('MAX_SECONDS_FOR_EMBEDDED_IMAGES', 10);
if (isset($_SESSION['embed_time']) &&
$_SESSION['embedded']+MAX_SECONDS_FOR_EMBEDDED_IMAGES < time()) {
// image is embedded
} else {
// image is not embedded
}


Won't it be easier if you just set a flag in the PHP script that generates
the <img> tag and unset it in the script that generates the image?
Jul 17 '05 #3
Chung Leong wrote:
"Pedro Graca" <he****@hotpop.com> wrote in message
news:2h************@uni-berlin.de...
yawnmoth wrote:
> i've written a php script that generates images dynamically, via the
> GD library. i now want to detect whether or not the image is embedded
> within a homepage, or is being viewed by itself. at first, i thought
> that whether or not HTTP_SERVER_VARS['REFERER'] was set, that it would
> mean that the image was embedded, but that's not necessarily the case,
> as it will also be set if it's just linked to from the webpage. so,
> any ideas?


$_SESSION['embed_time'] = time();
echo '<img src="img.php">';
and in img.php

define('MAX_SECONDS_FOR_EMBEDDED_IMAGES', 10);
if (isset($_SESSION['embed_time']) &&
$_SESSION['embedded']+MAX_SECONDS_FOR_EMBEDDED_IMAGES < time()) { # ____________ ^^^^^^^^ _____
# ___________ embed_time ____ // image is embedded
} else {
// image is not embedded
}


Won't it be easier if you just set a flag in the PHP script that generates
the <img> tag and unset it in the script that generates the image?


Yes, it will :)
Thank you for pointing that out.

--
USENET would be a better place if everybody read: : mail address :
http://www.catb.org/~esr/faqs/smart-questions.html : is valid for :
http://www.netmeister.org/news/learn2quote2.html : "text/plain" :
http://www.expita.com/nomime.html : to 10K bytes :
Jul 17 '05 #4
yawnmoth wrote:
at first, i thought
that whether or not HTTP_SERVER_VARS['REFERER'] was set, that it would
mean that the image was embedded, but that's not necessarily the case,
as it will also be set if it's just linked to from the webpage. so,
any ideas?


Check the value of REFERER. If I remember rightly, it will point to the
URL of the page that called it. If the domain in the URL is yours, then
your page is calling it. If the domain in the URL is someone else's,
then you're not the one calling it. You can probably ban other sites
from generating the image this way. (Unless it's a dynamic image,
they'll just copy and save it to their site by right-clicking in their
browser, then put it on their site without referring to your script at all.)
--
Bob
London, UK
echo Mail fefsensmrrjyaheeoceoq\! | tr "jefroq\!" "@obe.uk"
Jul 17 '05 #5
"Pedro Graca" <he****@hotpop.com> wrote in message
news:2h************@uni-berlin.de...
Won't it be easier if you just set a flag in the PHP script that generates the <img> tag and unset it in the script that generates the image?


Yes, it will :)
Thank you for pointing that out.


It breaks the capabilities to serve files to multiple users at once:

00:00:00.00 -- User 1 requests home page - Flag gets set
00:00:00.25 -- User 2 requests home page - Flag gets set
00:00:00.50 -- User 1 requests image - Flag gets unset
00:00:00.75 -- User 2 requests image - Flag is unset, so request is denied

It doesn't work to switch to an instance counter. Your counter will get
messed up.

Example 1: User is browsing without images turned on, so the counter gets
incremented by the home page script but never decremented. You now have a
counter that is too high. If this happens regularly, people can still
request the image without hitting the home page, since the counter will have
stored displays that weren't used.

Example 2: Image transfer fails for some reason, so the browser requests it
twice. Now your counter is too low and someone's request is going to fail.

Possible solutions:

* Use a time-based value in the image file name and allow access for a
certain period of time based on that value.
* Use sessions and store the flag that was set by the main page as a session
variable. This makes it independent for each user and eliminates the
scenarios above, when coded correctly.

Steve
--
Steven C. Gallafent - The Computer Guy, Inc.
st***@compguy.com - http://www.compguy.com/
Jul 17 '05 #6
>> at first, i thought
that whether or not HTTP_SERVER_VARS['REFERER'] was set, that it would
mean that the image was embedded, but that's not necessarily the case,
as it will also be set if it's just linked to from the webpage. so,
any ideas?
Check the value of REFERER.


That value comes from the browser, so it's easily fakable and
about as useful for security as a vault door made out of one
layer of toilet paper.
If I remember rightly, it will point to the
URL of the page that called it.
Unless the legitimate user's browser strips it out.
Then you may lose a paying customer.
If the domain in the URL is yours, then
your page is calling it. If the domain in the URL is someone else's,
then you're not the one calling it. You can probably ban other sites
from generating the image this way. (Unless it's a dynamic image,
they'll just copy and save it to their site by right-clicking in their
browser, then put it on their site without referring to your script at all.)


If it *IS* a dynamic image, they'll save it anyway. They don't
have to use a conventional (mouseful) browser at all.

For example, on FreeBSD (probably Linux also, and there's no reason
there couldn't be a Windows version):

% setenv HTTP_REFERER http://www.porn.com/hotstuff/index.html
(or anything else I feel like)
% fetch -o hotporn37.jpg http://www.porn.com/hotstuff/hotporn37.jpg
oh, yes, I can also setenv HTTP_REFERER to "auto" and fetch will
set HTTP_REFERER to the URL of the image I'm trying to fetch, so
I don't have to bother re-setting it for each image I steal.

Gordon L. Burditt
Jul 17 '05 #7
Pedro Graca <he****@hotpop.com> wrote in message news:<2h************@uni-berlin.de>...
<snip>

$_SESSION['embed_time'] = time();
echo '<img src="img.php">';
and in img.php

define('MAX_SECONDS_FOR_EMBEDDED_IMAGES', 10);
if (isset($_SESSION['embed_time']) &&
$_SESSION['embedded']+MAX_SECONDS_FOR_EMBEDDED_IMAGES < time()) {
// image is embedded
} else {
// image is not embedded
}

HTH


that seems like it'd only work, though, if i had control over the page
that was loading the image. what if i don't?

so i guess what i'm asking is...

how can i tell if an image is being loaded as part of a direct link
that someone clicked on, ie:

http://www.website.com/image.jpg

or if it's in an html img tag, ie:

<img src='http://www.website.com/image.jpg'>
Jul 17 '05 #8
yawnmoth wrote:
so i guess what i'm asking is...

how can i tell if an image is being loaded as part of a direct link
that someone clicked on, ie:

http://www.website.com/image.jpg

or if it's in an html img tag, ie:

<img src='http://www.website.com/image.jpg'>


AFAICS you can't tell the difference between them.

For the server (www.website.com) both requests look exactly alike.
Myabe, just maybe, you can use the Referer, but as you said before, that
is not trustworthy.

--
USENET would be a better place if everybody read: : mail address :
http://www.catb.org/~esr/faqs/smart-questions.html : is valid for :
http://www.netmeister.org/news/learn2quote2.html : "text/plain" :
http://www.expita.com/nomime.html : to 10K bytes :
Jul 17 '05 #9
"Steven C. Gallafent" <st***@compguy.com> wrote in message news:<10*************@corp.supernews.com>...
"Pedro Graca" <he****@hotpop.com> wrote in message
news:2h************@uni-berlin.de...
Won't it be easier if you just set a flag in the PHP script that generates the <img> tag and unset it in the script that generates the image?


Yes, it will :)
Thank you for pointing that out.


It breaks the capabilities to serve files to multiple users at once:

00:00:00.00 -- User 1 requests home page - Flag gets set
00:00:00.25 -- User 2 requests home page - Flag gets set
00:00:00.50 -- User 1 requests image - Flag gets unset
00:00:00.75 -- User 2 requests image - Flag is unset, so request is denied


I think, Chung is telling about setting the flag in session. In
that case, I don't see any user conflicts as you suggest 'coz session
for each users will be different. But, I agree that the solution is
not _much_ viable.

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com
Jul 17 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by Phil Powell | last post: by
2 posts views Thread by Tiro Orsa | last post: by
14 posts views Thread by D. Alvarado | last post: by
1 post views Thread by D. Yates | last post: by
reply views Thread by =?Utf-8?B?Q2hha3JhdmFydGh5?= | last post: by
reply views Thread by levi2713 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.