Steve wrote:
> I have a pretty nice php web site, that's also reasonably secure.
> However, I wrote some php code to create some dynamic images based on
> database data, but I can't figure out how to secure this script?
>
>
> when I reference the php code via img src="myimage.php", none of my
> session variables are available for use in the script. So, without my
> session variables, how am I suppose to ensure that the script is only
> run by a valid user, rather than just anyone who can blindly type in
> random parameters to my image creation script?
>
>
> I'm really stumped on this one.

Make sure the $HTTP_REFERER is from an "allowed" domain... any page on
your site that accesses the php script will have your domain as the
referer... anyone trying to use the script "off domain" will have a
different referer.

I have client's sites that do not have php on their host, so I whitelist
their domains to access my scripts. It seems to work well...

Fox
************