Passing Variables Through url without seeing them in the url string

@koshthetrekkieMay 28.2005

I have a page which creates thumbnails with or without watermarks from a source image using GD.

Basically all I have to do is, on the page I want the thumbnail picture to appear I use :

[code=php]<img src=”imagethumb.php?s=$url&w=100″ border=”0″></a>[/code]

where $url is the url of the source Image e.g.

$url = “/Images/mypics/image1.jpg”

In imagethumb.php I just use $_GET[‘s’] to get the path of the source image and manipulate it. The page then just returns the manipulated image which is why you can call the page in the IMAGE tags.

Doing this, however it is possible for someone to get the path to the Image, $url, just by viewing the source of the page. I was wondering is there any way of passing $url to the imagethumb.php page either through the url string or some other way so that no one can see the $url string/value?

I cannot use a hidden form element as a form is not being submitted.

Any help is greatly appreciated,

Kosh

to post a comment

PHP

17 Comments(s) _↴

@SpectreReturnsMay 28.2005 — #Set up a database which contains id and photolink. When looking at the php image file, send the id, connect to the database, check where id={id you passed}, then return that.

@koshthetrekkieauthorMay 28.2005 — #Thanks Spectre, I had considered this option but I have a page that has quite a few thumbnails on it and basically for each time i generate the thumbnail, I would have to create a row in the db, call the imagethumb.php, extract the row, create the thumbnail, and delete the row.

I now have 5 operations where i previously has 2. And this is for every picture on the page. With a lot of images on the page this is extra processing overhead that i'd like to avoid IF POSSIBLE. I could use cookies as well but I would prefer not to incase they are disabled on client browser. Plus they can be easily read. I realise using a DB may be the only way to go but if anyone has any ideas I'd be grateful.

Thanks,

Kosh

@SpectreReturnsMay 28.2005 — #Why would you render them each time? Just make it include an image file from a hidden directory.

@koshthetrekkieauthorMay 28.2005 — #Basically I have a page with a lot of thumbnails of a lot images from different directories. They are all in a main directory /Images/gallery. However there are numerous subfolders in this directory and each image will have a different $url depending on the subdirectory it is in.

e.g. /Images/gallery/category1/image1.jpg

/Images/gallery/category1/image2.jpg

/Images/gallery/category2/image2.jpg

/Images/gallery/category1/category3/image3.jpg

etc. therefore $url can be different for Images on the same page. Hence each time I call imagethumb.php the passed image may have a different $url that other images so I would need to store the $url for each pic, and invoke imagethumb.php on it before moving on to the next thumbnail.

@chrysMay 28.2005 — #Why don't you create a thumbs directory in every directory you have and automatically create a thumb for all your images... it will speed up your site a lot ? rendering a thumbnail w/ PHP on every load is going to take a toll on performance.

@koshthetrekkieauthorMay 28.2005 — #yeah i know the performance suffers a bit but I have a large amount of pictures and having to create thumbnails of each of them and upload both thumbnail and picture to apropriate directories is just anooying.

Besides the guys that will be maintaining the site have very little experience in image manipulation. they just want to be able to ftp a directory of photos onto the server and have everything else done for them, galleryupdating, thumbnail creation and watermarking.

This does result in the page taking 7-8 seconds to load instead of 3-4 normally if thumbnail supplied. Every page has only 6 thumbnails at the moment but these are dynamically created from whichever category u browse and are sorted into pages.

I have warned them of this issue, and although at the moment this load on the server is not causing any noticible problems, if it does the only thing i have to do is change the IMG tag to point to the corresponding thumbnail for each image instead of the imagethumb.php page. However again, they just seem to want everything automated so that in the future you just upload an image and the thumbnail creation and watermarking are done for you.

Again in either case they dont want the images to be downloaded without the watermarks and the only way they can do that at the moment is to view the source of the apge and find the path to the real image and just type it into the browser. I realise thumbnailing and watermarking the original images is the safest way to go but they don't want this either, so I'm doing a lot fo scripting and workarounds for them.

@SpectreReturnsMay 28.2005 — #Why not create the thumbnail as you upload the picture, then just link to it whenver you need it?

@ShrineDesignsMay 28.2005 — #Why not create the thumbnail as you upload the picture, then just link to it whenver you need it?[/QUOTE]that would work best because gd uses a lot of system resources

@koshthetrekkieauthorMay 28.2005 — #how would u create a thumbnail uploading via ftp?

Would you mean to do something like setup a php page to upload the images and then create the thumbnail image and save it to the folder its uploading the images to? Again slight problem with this in that I have to watermark the main image as well as do a thumbnail of it and they do not want the main image changed at all in case they lose the original (as they ahve been prone to do with other images in the past). And if i wanted to resize the thumbnails later on or change the watermark I would have to redo all the thumbnails/images previously created/uploaded.

To be honest I have not had a big issue with GD yet. its processing seems to only be 7-8secs per page of 6 thumbnails, whereas 3-4 secs without using GD. I have kept the number of images per page small to allow for some server strain. I have a good webhost and good reliable servers so its not really an issue yet. But again if it does become a problem all i have to do is change the image tag to point to the thumbnail image instead of calling the imagethumb.php page. and do it the other way.

I know this is all being picky but I have my orders. they basically want a seriously dynamic site. so basically all they do is upload a directory of iamges and whchever watermark they want to use and each time someone views the page they get a watermarked thumbnail, adn then click for a watermarked full image. Because we're using GD in this way with dynamic images directory paths that keep changing. hiding the different image paths is the only secutiry hole left to iron out.

@bokehMay 29.2005 — #I don't understand why you are trying to hide the image path. They are either in a public directory for public use or they should be stored in a non-public directory and served to the correct people using php. You don't need to render each thumbnail image every time it is viewed. You could put all your thumbnails in a directory and then check in that directory to see if the thumbnail exists before making a new one. If you do make a new one store it in the thumbnail directoy as well as sending it to the browser so it can be used in the future.

@koshthetrekkieauthorMay 29.2005 — #Yes having created thumbnails is all very well but if you'd read my replies above you'd see that I have a lot of images, which will have watermarks placed on them. And if the site administrators want to change thumbnail size or what watermark is to be used this time for the thumbnails (which they say they plan to do frequently ? ) then they basically need to create new thumbnails every time for each image.

They do not want to have to do this and have asked me if there is a way to do it "on-the-fly" so all they have to do is upload new pics via ftp, change the width and height variable if required and upload a new watermark image when they want to change the watermark on their images.

I have tried to tell them repeatedly that this will increase server load and that the original image path is visible and so the original unmarked images are currently accessible as putting them in a non-public directory is something I do not have access to do at the moment. Also they do not wish to have to do image creation and manipulation at all, creating and recreating thumbnails all the time is beneath them so I'm stuck with it.

I didn't want to have to create php pages that will take a watermark image and thumbnail height and width and then scan all the gallery's sub-directorys and create thumbnails and watermark all their images as basically they're not paying me for this.

Although this seemed like a quick and easy compromise to use GD to do this "on-the-fly", quite frankly this way is turning out to be more trouble than its worth as I have had trouble managing to get GD to respect transparency in GIF and PNG images of all types, using both alpha and index transparency, so when images are merged together to make one image using GD everything that is suppossed to be transparent is black, so you basically end up with the watermark image over a black background.

This "on-the-fly" approach seemed like a very good thing when I first started to explore it but its becoming a php thorn in my side and jsut seems to have too many drawbacks. I may just tell them they'll have to creating thumbnails themselves and just accept it. :p

@bokehMay 30.2005 — #
I have tried to tell them repeatedly that this will increase server load and that the original image path is visible and so the original unmarked images are currently accessible as putting them in a non-public directory is something I do not have access to do at the moment. [/QUOTE]

Why not? The http root directory has always been in a non-public, user accessible, parent directory on every server I have ever seen and serving up these files is easy. Here's the php:

[code=php]
 <?php
 
 $file = '/path/to/non-public/directory/' . 'filename.ext';
 
 header("Content-Type: image/jpeg");
 header("Content-Disposition: inline");
 @readfile($file);
 
 ?>
 [/code]

I don't know what sort of operation you are running but if you are a professional you should be telling the client what to do, not the other way round.

@koshthetrekkieauthorMay 30.2005 — #Not a client, favour for people I know. I dont have access to theyre server at all. I know nothing about the server paths or how they have theyre site is set-up. I suppose i could just do something like:

[code=php]
 
 $path = /Images/path/to/whatever
 
 [/code]

as long as they put the files in the main http root directory. Again I do not know if theyre host allows this as they may be using subdomains for theyre sites hosting :eek: (from what they tell me the hosting is dodgy) but they wont give me access to theyre server. I developing this on my own server so that all they have to do is upload the directory i give them and everything will work if imags are placed in the folders in my created directory. If I could hide the image paths everything would be alright security wise for most users as they wont know where the imags come from and would have to scan the site whcih most users won't bother to do. I don't even have .htaccess capability to do anything securitywise either.

Like I said this is proving to be a very annoying and troubling favour i'm doing. :mad:

@bokehMay 30.2005 — #Security by obscurity is no security at all!

Regarding the path, it does not matter in what directory the php file calling the image is located. You would just use something like this:

[code=php]
 $file = 'filename.ext';
 $path = $_SERVER['DOCUMENT_ROOT'] . '/path/to/images/from/root/';
 $combined = $path . $file;
 [/code]

Also if you design so the images are public when they shouldn't be you will be the one who is sued when the images are stolen.

@koshthetrekkieauthorMay 30.2005 — #yep but im just doing what ive been told to do. dont shoot the messenger ? Basically from what ive been told the images are just ftp'd to theyre http directory where the index html files are stored, from http://www.mysite.com/

All folders below this are public and I have nothing to do with it. Im not even sure if they can ftp above this. i have a feeling the site is hosted in the subdirectory of another account, e.g. mysite.hostingcompany.com points to www.mysite.com. they have little control and not many features. Again they wont let me have access to the servers so I have no idea really whats going on. I just got my orders. they want the images stamped on the fly keeping the originals intact so they can point people to them if need be.

To eb honest I'm really getting fed up with it all but i'm just trying to explore everything before i give up. Theyre being very uncooperative which is why im trying to build a self contained gallery section with as much security as I can with my non-existant access.

@bokehMay 30.2005 — #The other way is to use .htaccess to control access to the directory containing the image. From what you are saying I am guessing you are doing this for a friend or family member, not as a professional.

@koshthetrekkieauthorMay 30.2005 — #yep u got it. if i was doing this as a professional they'd have been switched to a decent hosting company and the site developed properly. (for a modest fee of course ?) But from the amount of time ive spent on this i should be charging this, especially for the hassle its causing me but then that's always the case when you're doing something "for a friend" instead of a client.

Oh and there is no .htacess editing capibility :eek: host doesnt allow it, apparently they ignore all .htaccess files, just use theyre main one so im screwed again. I think i must have SUCKER stamped on my head when it comes to my mates.

Also in #PHP _↴

Flash and table probs in php based joomla How to get results in the same page login using sessionid or time

Success!

Help @koshthetrekkie spread the word by sharing this article on Twitter...

Tweet This

Passing Variables Through url without seeing them in the url string

17 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Passing Variables Through url without seeing them in the url string

17 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

17 Comments(s) _↴

Also in #PHP _↴