Chris Hope wrote:
> Fox wrote:
>
>
>>Steve wrote:
>>
>>>I have a pretty nice php web site, that's also reasonably secure.
>>>However, I wrote some php code to create some dynamic images based on
>>>database data, but I can't figure out how to secure this script?
>>>
>>>
>>>when I reference the php code via img src="myimage.php", none of my
>>>session variables are available for use in the script. So, without my
>>>session variables, how am I suppose to ensure that the script is only
>>>run by a valid user, rather than just anyone who can blindly type in
>>>random parameters to my image creation script?
>>>
>>>
>>>I'm really stumped on this one.
>>
>>Make sure the $HTTP_REFERER is from an "allowed" domain... any page on
>>your site that accesses the php script will have your domain as the
>>referer... anyone trying to use the script "off domain" will have a
>>different referer.
>>
>>I have client's sites that do not have php on their host, so I whitelist
>>their domains to access my scripts. It seems to work well...
>
>
> However, you also need to allow the images to be seen if the
> $_SERVER['HTTP_REFERER'] is not set;

Think about this for a second... no referer, no see... it's *my*
bandwidth. I don't need anyone hijacking the scripts for their own purposes.

> some people install software (or their
> browser allows them to) that prevents this information being passed to the
> server, and they'll get broken images even though you don't intend this to
> happen for those people.
>