PHP Security Issue

If they're outside of the webroot, ie:

where safe is the location of user_photos and user_articles, it shouldn't matter whether the user can see the location of the files because they're stored somewhere where they are inaccessible to the browser.

If I am misunderstanding, please correct me.

Markus.

Hi
The problem is that if you don't allow the user to have access to an image then you can not use the image in a HTML because the user will still need access to view it.

But there is one thing I could come up with to protect images.

Put your images in a folder which users don't have access to. Then you can use PHP GD to serve the image only to a specified user.

Here is the code to serve the image by PHP GD:
imageviewer.php
Then as the SRC of your image tags of your HTML code use the above PHP file like this:

There are currently many websites using this method to protect their photos.
In some websites when you right click on an image and go to properties the only address you can see is a PHP file.

And don't forget that GD must be enabled on the server you are excuting your script on. Most of the servers have GD enabled by default.

Hope this helps you

Hi.

And alternate way of serving images through a PHP file would be to simply set the appropriate headers and read the contents of the file into the output buffer:
This would not require the GD extension and would work regardless of the image type.
Also, this should use less memory than it's GD counterpart, as the image would not need to be loaded into memory before it is sent. (Although that would depend on the internals of the readfile function)

Thanks Guys!

that was very helpful!

U ROCK!

Hi.

And alternate way of serving images through a PHP file would be to simply set the appropriate headers and read the contents of the file into the output buffer:

Expand|Select|Wrap|Line Numbers

1. <?php
2. $file = "/path/to/file.jpg";
3. $info = getimagesize($file);
4. header("Content-Type: ". $info['mime']);
5. header("Content-Length: ". filesize($file));
6. readfile($file);
7. ?>
8.  

This would not require the GD extension and would work regardless of the image type.
Also, this should use less memory than it's GD counterpart, as the image would not need to be loaded into memory before it is sent. (Although that would depend on the internals of the readfile function)

Dear,
Help out here plz. I actually like ur tip cos it takes less memory, but how wld i ve to it from a function? I need to call it from various files, send paramters, then store the image that i can use in img src?

It's like bnashenas says. You will have to put this code into a seperate file which is called by an <img> tag's src attribute.

The code acts as an image, so it can not be called directly from your other scrips. You have to let the browser call it as an image.

Like, for example, if I did this:
And put this into a file name "imageviewer.php".

I could use this to show the images.
The first 3 would show images 0 to 2 from the array, but the last one would show the error image.