Fox wrote:

> Steve wrote:
>> I have a pretty nice php web site, that's also reasonably secure.
>> However, I wrote some php code to create some dynamic images based on
>> database data, but I can't figure out how to secure this script?
>>
>>
>> when I reference the php code via img src="myimage.php", none of my
>> session variables are available for use in the script. So, without my
>> session variables, how am I suppose to ensure that the script is only
>> run by a valid user, rather than just anyone who can blindly type in
>> random parameters to my image creation script?
>>
>>
>> I'm really stumped on this one.
>
> Make sure the $HTTP_REFERER is from an "allowed" domain... any page on
> your site that accesses the php script will have your domain as the
> referer... anyone trying to use the script "off domain" will have a
> different referer.
>
> I have client's sites that do not have php on their host, so I whitelist
> their domains to access my scripts. It seems to work well...

However, you also need to allow the images to be seen if the
$_SERVER['HTTP_REFERER'] is not set; some people install software (or their
browser allows them to) that prevents this information being passed to the
server, and they'll get broken images even though you don't intend this to
happen for those people.

--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/