How to prevent direct access..

I have a php file that produces an image and is only referred to from
an img tag like so:

<img src="getRandImage.php">

I want to prevent anyone from directly accessing the getRandImage.php
file. The file has to be world readable or the image will not display.
I played around with testing $_SERVER['HTTP_REFERER'] using regular
expressions but the above image tag appears in the default splash page
and there is no http referer set when they first visit the site. (also
ran into some IE quirkiness as well) I played around with putting
getRandImage.php into a subdirectory that is only viewable by the user
the web server is running as and the image also would not appear. I
couldn't figure out a way to embed this into a function that could be
hidden in a non-world readable subdirectory -- which would be my
preferred approach. (Is there a way to call a php function that
returns an image from within an img tag, instead of calling a php
file?)

I can easily check http request type but the img tag is doing a GET
request which is also what request type is used if they try and
directly access the URL.

I'm sure its something simple I am overlooking. Maybe another $_SERVER
variable or something I can work with.

fyi: running php 5.2.5 and apache 2.2.

Thanks for any help..
/CC

Chuck wrote:
> I have a php file that produces an image and is only referred to from
> an img tag like so:
>
> <img src="getRandImage.php">
>
> I want to prevent anyone from directly accessing the getRandImage.php
> file. The file has to be world readable or the image will not display.
> I played around with testing $_SERVER['HTTP_REFERER'] using regular
> expressions but the above image tag appears in the default splash page
> and there is no http referer set when they first visit the site. (also
> ran into some IE quirkiness as well) I played around with putting
> getRandImage.php into a subdirectory that is only viewable by the user
> the web server is running as and the image also would not appear. I
> couldn't figure out a way to embed this into a function that could be
> hidden in a non-world readable subdirectory -- which would be my
> preferred approach. (Is there a way to call a php function that
> returns an image from within an img tag, instead of calling a php
> file?)
>
> I can easily check http request type but the img tag is doing a GET
> request which is also what request type is used if they try and
> directly access the URL.
>
> I'm sure its something simple I am overlooking. Maybe another $_SERVER
> variable or something I can work with.
>
> fyi: running php 5.2.5 and apache 2.2.
>
> Thanks for any help..
> /CC

Pass the session_id in the url..
<img src="getRandImage.php?img=SESSION_ID_HERE" />

then in the php
<?php
if(isset($_GET['img']) && $_GET['img'] == session_id()) {
#code to show image
}
?>

you can ultra harden it by putting a destroy session code in that block
aswell, meaning they can only single access the file.

alternatively (and a bit harder on the machine)
have the index.php script create a php on the fly based on session_id or
something ie: 3h238bc98da9e0a880237d7c8ef09.php
and have that script echo out the image and delete itself once the image
has been sent to the buffer (ob_* and flush())

:)

Chuck wrote:
> I have a php file that produces an image and is only referred to from
> an img tag like so:
>
> <img src="getRandImage.php">
>
> I want to prevent anyone from directly accessing the getRandImage.php
> file. The file has to be world readable or the image will not display.
> I played around with testing $_SERVER['HTTP_REFERER'] using regular
> expressions but the above image tag appears in the default splash page
> and there is no http referer set when they first visit the site. (also
> ran into some IE quirkiness as well) I played around with putting
> getRandImage.php into a subdirectory that is only viewable by the user
> the web server is running as and the image also would not appear. I
> couldn't figure out a way to embed this into a function that could be
> hidden in a non-world readable subdirectory -- which would be my
> preferred approach. (Is there a way to call a php function that
> returns an image from within an img tag, instead of calling a php
> file?)
>
> I can easily check http request type but the img tag is doing a GET
> request which is also what request type is used if they try and
> directly access the URL.
>
> I'm sure its something simple I am overlooking. Maybe another $_SERVER
> variable or something I can work with.
>
> fyi: running php 5.2.5 and apache 2.2.
>
> Thanks for any help..
> /CC
>

I would do something like what Nathan said, but with a twist.

From the page with the anchor tag, I would use a unique value in the
image URL, but I would store that value in my session, along with a
timestamp of when it was generated.

Then, in the getRandImage.php script, I would check to see if the unique
value in the session exists? if no, then boot them else then check to
see if it is expired. if yes, boot them, else display random image and
delete unique value and timestamp.

Then, it doesn't matter if they access the URL directly, if they do,
they won't have a value in there session. Because the only place that
the value gets set is in the original calling HTML page.

--
Jim Lucas

"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
by William Shakespeare

On Sun, January 27, 2008 6:38 pm, Chuck wrote:
> I have a php file that produces an image and is only referred to from
> an img tag like so:
>
> <img src="getRandImage.php">
>
> I want to prevent anyone from directly accessing the getRandImage.php
> file. The file has to be world readable or the image will not display.
> I played around with testing $_SERVER['HTTP_REFERER'] using regular
> expressions but the above image tag appears in the default splash page
> and there is no http referer set when they first visit the site. (also
> ran into some IE quirkiness as well) I played around with putting
> getRandImage.php into a subdirectory that is only viewable by the user
> the web server is running as and the image also would not appear. I
> couldn't figure out a way to embed this into a function that could be
> hidden in a non-world readable subdirectory -- which would be my
> preferred approach. (Is there a way to call a php function that
> returns an image from within an img tag, instead of calling a php
> file?)

You can set some kind of cookie in the previous page, and then check
that they have the cookie...

Or you can require some kind of login to get to the image -- same
technique.

Referer is useless. Not all browsers send it; and it's far too easy
to fake.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?