[PHP] Block direct image loads but allow them in PHP
Hi I have a bit of a problem which might just be due to my lack of knowledge with Apache. Basically, what I want to do is to *not* allow users to enter particular URLs in their browser (namely to *.jpg and *.xml files under a particular directory, let's call it "imagesDir"). However, I can't simply Deny all or stick a .htaccess in the folder because I *do* want these images to load from within a particular PHP file I have coded. I originally thought that I could stick a .htaccess file in the images folder and just set the AUTH_USER sort of variables from within the PHP but that didn't work--it still prompted me for a login (understandably so, but worth a try). I have also tried to see about modifying my httpd.conf file, but I'm afraid I'm not terribly knowledgable in this area. :-/ Any suggestions? Also, in case it matters, I'm running Apache on Mac OS X. Thanks in advance! -m^2 __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
If the user knew the actual URL of the image though, wouldn't they be able to get around a script like this by simply typing it into their web browser? Thanks! :-) > On 02/15/03 10:55 AM, "Marco Tabini" <[EMAIL PROTECTED]> wrote: > I guess the easiest would be to filter those images through a php > script. Your PHP script would perform whatever checks are needed (for > example, you could check ther HTTP_REFERER variable, or a shared token > with the originating PHP script) and then output the image only if it's > appropriate to do so. This way, your images would not be accessible to > your users at all--unless you wanted them to be. -m^2 __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
Perhaps you could further describe such a method? I'm sorry, I just don't quite see how this will block the files. Perhaps I should further explain my situation. The script that I will distribute will always make use of a very particular directory structure. In "imageDir", there will always be a specifically named XML file that points to a bunch of images in the directory. However, given security checks that I put in my script, not all of those images should be publicly viewable. However, if a savvy user were to just load this XML doc up in their web browser, they will have a complete listing of URLs to all of my images. I cannot modify this XML file. (which is why I want to block a user from loading, say myserver.com/imageDir/picture.jpg) Will your proposed idea still work in this situation? Thanks for your help and patience in this matter. :-) On 02/15/03 11:09 AM, "Marco Tabini" <[EMAIL PROTECTED]> wrote: > Only if you let them. The PHP script allows to put the appropriate > checks in place. For example, if you use sessions, you can verify that > the session is still valid and that the user has, indeed, the right to > access that image. At a later time, even if another user types in the > same URL but does not have a valid session (or a variable inside the > session that contains the right data), you would be able to block him > from reading the image. > > Cheers, > > > Marco -m^2 __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
I hadn't considered that before. Thank you. :-)
The reason why though is that Mac OS X comes with permissions set by default
so that Apache can't wander outside of the publicly accessible folder
(~/Sites/). The script that I have written is something that I intend to
distribute to other Mac users and I would rather not reduce the security
that they already have preset on their machines as part of installing my
script as I think that would deter people from adopting it. Do you have any
other suggestions? :-/
On 02/15/03 11:50 AM, "Marco Tabini" <[EMAIL PROTECTED]> wrote:
>
> Yes--but you need to make the image inaccessible to the outside (simply
> put them in a folder that can't be seen from the web).
>
> Here's an example. Suppose you have a script called page.php that needs
> an image called img.jpg. Instead of calling img.jpg, you call another
> script, serveimage.php as follows:
>
>
>
> Now, in serveimage.php you do this:
>
>
> $img = $_GET['img'];
>
> // First, check that the user is not trying to trick us
> // into revealing a file that we shouldn't reveal.
> // Note: this is a *very* simplistic approach--you will probably
> // want to add your own
>
> if (substr ($img, '/'))
> die('Invalid file name');
>
> // Now, check if the user has permission to this file. You don't
> // explain how you do this, so I'll leave this to an external
> // function called check_permission ($file) that returns true if the
> // user is able to see that file and false otherwise
>
> if (check_permission ($img))
> {
> // Tell the browser this is an image
> // Note, you will probably have to change this depending
> // on the file type
>
> header ('Content-type: img/jpg');
> readfile ($img);
> }
> else
> die ("Unauthorized access");
>
> ?>
>
> Essentially, what I'm doing is I'm replacing a file with a script that
> first checks the permissions and then, if the user is authorized,
> outputs the file to the browser. This way, if the user is not authorized
> to download a file, it will be blocked. Obviously, the files themselves
> should be inaccessible to the web *except* through your scripts.
>
> Hope it's a bit clearer now!
>
> Cheers,
>
>
> Marco
-m^2
__
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!
__
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
Thank you, this looks like the kind of thing I'm looking for. I'll have to give this a shot and see how it goes. :-) On 02/15/03 8:44 PM, "Justin French" <[EMAIL PROTECTED]> wrote: > Using Apache's main config file (or at a per-directory level using a > .htaccess file), you need to black all .jpg, .jpeg, .gif, .png, .bmp, etc > etc files from being *directly* served via http. > > I'm not too good with Apache yet, but an example would be: > > > Order Allow,Deny > Deny from all > > > Order Allow,Deny > Deny from all > > > Order Allow,Deny > Deny from all > > > Order Allow,Deny > Deny from all > > > (you might also choose to block everything in imageDir/, which would also > include the xml file) > > > > Then you need to create a script called image.php which: > > a) accepts file=.xxx in the URL ($_GET) > b) sets the appropriate image header > c) passes the image file though > > Instead of you calling > > > You would call > > > > You also need to ensure that users can't directly call image.php?file= > picture.jpg in the browser, which can also be done with apache / .htaccess > files. > > > > Order Allow,Deny > Deny from all > > > > > There's plenty of examples of passing images through in the manual... in > particular one of the user-contributed notes by "lists at darkcore dot net > 08-Aug-2002 03:24" at http://php.net/header looks about right. > > > Justin > > > on 16/02/03 3:24 AM, Michael Mulligan ([EMAIL PROTECTED]) wrote: > >> Perhaps you could further describe such a method? I'm sorry, I just don't >> quite see how this will block the files. Perhaps I should further explain my >> situation. >> >> The script that I will distribute will always make use of a very particular >> directory structure. In "imageDir", there will always be a specifically >> named XML file that points to a bunch of images in the directory. However, >> given security checks that I put in my script, not all of those images >> should be publicly viewable. However, if a savvy user were to just load this >> XML doc up in their web browser, they will have a complete listing of URLs >> to all of my images. I cannot modify this XML file. (which is why I want to >> block a user from loading, say myserver.com/imageDir/picture.jpg) >> >> Will your proposed idea still work in this situation? >> >> Thanks for your help and patience in this matter. :-) >> >> On 02/15/03 11:09 AM, "Marco Tabini" <[EMAIL PROTECTED]> wrote: >>> Only if you let them. The PHP script allows to put the appropriate >>> checks in place. For example, if you use sessions, you can verify that >>> the session is still valid and that the user has, indeed, the right to >>> access that image. At a later time, even if another user types in the >>> same URL but does not have a valid session (or a variable inside the >>> session that contains the right data), you would be able to block him >>> from reading the image. >>> >>> Cheers, >>> >>> >>> Marco >> >> >> -m^2 >> >> __ >> Hi! I'm a .signature virus! Copy me into your ~/.signature to help me >> spread! >> __ >> >> > -m^2 __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Block direct image loads but allow them in PHP
So I implemented this the other day and got excited as it worked...sort of.
My code is very similar to the link that you suggested. This is the script
that I would call from within an :
if(isset($i))
{
//codeImageURL decodes $i into an image path that we can work with
$link=codeImageURL($i);
if($link!="" && (isAdmin() || !isThisFileBlocked($link)))
{
header("Cache-control: private");
header("Content-type: image/jpg");
header("Content-Disposition: attachment; filename=".$link);
$fp = fopen($link, 'r');
fpassthru($fp);
fclose($fp);
}
else
echo "Error: Couldn't decode image URL\n";
}
This code seems to work in *some* browsers, but not all. That is, in some
browsers, images will display just fine. In other browsers (i.e. Some
flavors of IE on the PC) I just get red x's. I cannot identify any
particular commonality among them and I was wondering if you have any
suggestions to make this work?
Thanks in advance!
On 02/15/03 8:44 PM, "Justin French" <[EMAIL PROTECTED]> wrote:
> Using Apache's main config file (or at a per-directory level using a
> .htaccess file), you need to black all .jpg, .jpeg, .gif, .png, .bmp, etc
> etc files from being *directly* served via http.
>
> I'm not too good with Apache yet, but an example would be:
>
>
> Order Allow,Deny
> ...
>
> Then you need to create a script called image.php which:
>
> a) accepts file=.xxx in the URL ($_GET)
> b) sets the appropriate image header
> c) passes the image file though
>
> Instead of you calling
>
>
> You would call
>
-m^2
__
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!
__
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Reading remote image into a file and displaying..
More specifically (since I just dealt with this issue myself), use fpassthru
(and be sure not to fclose the file pointer as it's automatically done by
fpassthru)
On 02/20/03 12:47 PM, "Mincu Alexandru" <[EMAIL PROTECTED]> wrote:
> use header("Content-type: image/jpeg"); and then you can echo it's
> content.
> On Thu, 2003-02-20 at 17:30, Chad Day wrote:
>> I'm trying to get weather channel information without using their form to
>> submit the zip code .. the url format is :
>>
>> http://oap.weather.com/fcgi-bin/oap/generate_magnet?loc_id=$ZIP&code=689861&;
>> destination=$ZIP
>>
>> so I tried:
>>
>> $weatherfile =
>> readfile("http://oap.weather.com/fcgi-bin/oap/generate_magnet?loc_id=$_SESSI
>> ON[ZIP]&code=689861&destination=$_SESSION[ZIP]");
>> echo $weatherfile;
>>
>> but of course it just outputs the raw image data .. I tried echoing it out
>> in a img src tag, same result. Is there some function I'm unaware of that
>> will help me out here?
>>
>> Thanks,
>> Chad
-m^2
__
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!
__
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mail() with OSX
It has sendmail installed but you need to look into activating it as it is not enabled by default (I don't know how off the bat, but google should help) Hope this helps On 07/02/03 11:07 PM, "Justin French" <[EMAIL PROTECTED]> wrote: > Hi all, > > I've googled, but to no avail... I have apache 1.3.x, php 4.3.2 and > mysql on my new g4 under OSX 10.2.6, and most stuff seems to be working > fine, but i just did a test using mail() and it didn't work out... no > error in the apache log, no error on the screen. > > Obviously PHP can't find sendmail... Where should I be looking > (httpd.conf? php.ini?), what should it be set to? > > Does OSX even HAVE sendmail straight out of the box? > > TIA > Justin > -Mike __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Get Rid of this Crook
I think this revenge is a bit (longer) more of a fun read ;-) http://www.scamorama.com/threebucks.html On 07/04/03 12:40 AM, "erythros" <[EMAIL PROTECTED]> wrote: > that was the coolest thing i've read in a while... (considering i just read > the latest harry potter book) > what a way to get those guys back. -Mike __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] UTF-8 encoding/decoding
Hi So say I have some UTF-8 (not certain, but probably in UTF-8 format, I need to check some more) encoded text. The text comes in encoded already, so it's not an htmlspecialchars kind of quick fix. For instance, I get 'ê' and I want to output 'ê'--how do I convert from the two high ASCII characters to the one special character? Are their built-in functions for this? Thanks in advance -m^2 __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Googlebot
Googlebot visits my site occasionally and follows a lot of my PHP links with long query strings... -Mike __ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! __ On Jan 28, 2004, at 8:34 AM, Jon Bennett wrote: Does that go for internal links in your site then ??? news.php?start=10 etc ??? Could be tricky writing dyamic pages then. Thanks, Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
