I am trying to protect images so only the server and php scripts can display images and not let the user type in the absolute path to the browser to get the image.
For example, the user will be denied if they type in
[url]http://www.domain.com/images/image.png
But the script can access the image and display it on the page by using
<img src = “images/image.png”>
I found this online which reads,
The best way of handling file uploads securely is rather than giving writable permissions to users, is to allow the writable permission to apache itself. In this way the apache server has writable permission rather than the user. Just chown the writable folder to apache or nobody and assign 770 permission.
In this way the public has no access to read or write or execute permissions in the uploads folder. You will notice that apache has rwx and so as the owner. You can safely place the upload folder inside www folder without any concern.
chown -R apache uploads
chmod -R 770 uploads
If anybody tries to access the uploads folder, through URL you will see forbidden. Because apache is the grou owner you will have no problem in displaying the images or photos to the browser.
<img src=”uploads/file02929.gif”>
Now this does work by blocking the user from typing in the path to the image. However, my scripts cannot view the image either. Is there a way to make this work to allow access to the image through my php script?
[code=html]<img src="/path/to/image_display.php?imgid=123/imagename.jpg" />[/code]
[code=php]
<?
//image_display.php
/*
Query the database using on the GET id (protect from SQL injection) and retrieve the info you need to build the image.
Here's a simple jpg example but using a switch() you can retrieve the mime type from the database and select the appropriate header().
is_numeric() is used here as a very simple validation on the id.
*/
header('Content-Type: image/jpeg');
$myFile='/subscription/'.(is_numeric($_GET['imgid'])?$_GET['imgid']:'error').'.jpg';//or get path info from database.
$fh = fopen($myFile, 'r');
$size=filesize($myFile);
$theData = fread($fh, $size);
echo $theData;[/code]
[code=php]
if( [user is not authorized to view protected files] ) {
header('HTTP/1.1 403 Forbidden');
exit;
}
$filepath = [ protected files base directory ].rawurldecode($_GET['name']);
if( !file_exists($filepath) ) {
header('HTTP/1.1 404 Not Found');
exit;
}
// set an appropriate content-type for the requested file
header('Content-Type: image/jpeg');
fpassthru($filepath);
[/code]
[code=php]
echo '<img src="file_guard.php?name=', rawurlencode([ protected file name ]), '" />';
[/code]
[code=php]
// if the path of the requested protected file does not start with the base path
if( strpos(realpath($filepath), $basepath) !== 0 ) {
header('HTTP/1.1 403 Forbidden');
exit;
}
[/code]
I should also mention that this script poses some security risk as it allows access to files outsite the webroot. Make sure you do not allow the script to provide access to files outside your protected files base directory if someone requests for example file_guard.php?name=... .. .. .. .. .somefile
[/QUOTE]
[code=php]$file'.jpg' [/code]
I need to access both pdf and png files in the 'above the root' directory. All are stored in seperate directories such as 2009-03-05 may have Page-01.png Page-01.pdf Page-02.png Page-02.pdf etc. Another folder in the same directory maybe named 2009-03-06 with the same file names.
[/QUOTE]
[code=php]
<a href='file_guard.php?name=2009-03-05/Page-01.pdf'><img src='file_guard.php?name=2009-03-05/Page-01.png'></a>
<a href='file_guard.php?name=2009-03-06/Page-02.pdf'><img src='file_guard.php?name=2009-03-06/Page-02.png'></a>
[/code]
I do not understand how to do this because you can't have multiple headers in a file, can you?
[/QUOTE]
[CODE]
$filepath = "home/username/subscribe/test/2009-03-05".rawurldecode($_GET['name']);
if( !file_exists($filepath) ) {
header('HTTP/1.1 404 Not Found');
exit;
}
// set an appropriate content-type for the requested file
header('Content-Type: image/png');
fpassthru($filepath);
[/CODE]
[CODE]
<?php
echo '<img src="file_guard.php?name=', rawurlencode('Page-004.png'), '" />';
echo "<br>";
echo '<img src="home/username/subscribe/test/file_guard.php?name=', rawurlencode('Page-004.png'), '" />';
?>
[/CODE]
[code=php]echo '<img src="file_guard.php?name=', rawurlencode('Page-004.png'), '" />'; [/code]
[code=php]http://www.mysite.com/file_guard.php?name=123.jpg[/code]
I feel like I am from another planet or something.
[/QUOTE]
[code=php]<?
echo $_SERVER['DOCUMENT_ROOT'];
echo '<br />';
echo $_SERVER['SCRIPT_FILENAME'];
echo '<br />';
echo $_SERVER['SCRIPT_NAME'];[/code]
Is this the right path to use? [/QUOTE]
<b>Warning</b>: fpassthru(): supplied argument is not a valid stream resource[/QUOTE]
0.1.9 — BETA 4.29