11 RE: A Few Suggestions

Waylman,

Thanks, but I’m familiar with the intricacies of mod_rewrite. The author writes:

……
So far, this is just a simple script. Go to [img]http://www.yoursite.com/showpic.php?yourimage.gif[/img] and it will output a simple page showing yourname.gif and a credit.
……

At that point in the article the mod_rewrite code has not been introduced and the author is merely suggesting that going to the URL will show the picture and a credit. However, the script will die immediately since $pic is not defined in the query string. Like I said, the link should be [img]http://www.yoursite.com/showpic.php?pic=yourimage.gif[/img].

posted at 01:47 pm on July 13, 2004 by Ed

12 If you are serious

it’s an excellent article. But I have to point this out to the no-so Strong PHP people out there. This is a bad practice using $_GET[] global variable directly call a file on your server. Check out php.net site and read the article about “best practice”.

Basically, if you do this. You are tell me to hijack your files. Consider this. [img]http://www.yoursite.php?pic=image.gif[/img] if you change to this. www.yoursite.php?pic=secret_file.php
Better way to approach this. could be write the above mentioned file as a module. Without the html header. Instead generate a header as image/jpeg (or whatever you want) then call this script from another script hidden all the actual images from the whole world (I have been doing this for one year now. And the best part is I can turn it on and off anytime I want) Hope this help.

posted at 02:22 pm on July 13, 2004 by Joel

13 eeek!

good point joel, and run you solution by me again a little slower please?

Taking it further…
You could also allow hot-linking but use PHP with an image editing module to add a watermark, your home page URL, copyright info and/or your name onto the image itself.

posted at 03:18 pm on July 13, 2004 by LazyJim

14 Awesome!

I have always been trying to find a great way to be able to protect my images but still enable being able to pull up an image without it having to be on a page on my site.

Thank you so much. Though, I must mention – It didn’t work until I removed the “/” in front of the image and in front of the file in my .htaccess. shrugs

posted at 03:21 pm on July 13, 2004 by Jina

15 I used a different solution to this

I spent a while pondering this, as I’ve seen a few sites fail when using referrer based blocking, and came up with an alternative, but it’s a lot more work.

When an image is displayed, the SRC for the IMG tag is a PHP file – img.php?id=xxxxxxxxx – which gets xxxxxxxx.jpg, and reformats it for display. I was already doing this bit, so the images could be resized on the fly – call it with ‘&width=640’ for a 640px wide image, for example. The bit I added was that each page that displays images calculates a hash from the current time, to the nearest hour, and passes this on to the php script as ‘&auth=xxxxxxxxxx’. When img.php runs, it checks this against the hash for the current time.

If they match, it outputs the image as requested. If they fail, it limits the size and quality, and adds extra text with the site address across the top and bottom of the image.

Because the image is still displayed, it doesn’t break pages for people who do nick images (they’re not usually meaning to be evil ;). Because it adds the site address, it can still advertise my site, but because it limits the jpeg quality, and refuses to output in the largest sizes, it cuts down the bandwidth. Hopefully prevents excessive leeching, whilst still allowing people to post the odd image on their blog.

Oh, and once the image has been generated once at a specified size / quality, it caches it for use next time, so it doesn’t have to resize every time.

posted at 03:21 pm on July 13, 2004 by Michael Randall

16 BTW

I forgot to mention – I’m using Firefox, and it works fine – though it does appear to have some sort of gliche where it will sometimes suddenly show the image and then upon refresh, it won’t. odd.

posted at 03:23 pm on July 13, 2004 by Jina

17 Looks Secure To Me

Joel, I don’t see a security problem here. He’s not returning the contents of the file. He’s just using the file name to construct an <img> element.

posted at 03:56 pm on July 13, 2004 by Ryan Mack

18 well

joel – the article’s focus was people linking directly to the files. If their linking then they know the file name already and this is meant to try to be a graceful way to add a layer in between the transaction.

I agree with your post, however in the scope of this article embedding something else as a $pic var isn’t going to do much since it is only constructing an img element and Apache is checking the mime type before sending it to the script.

posted at 04:29 pm on July 13, 2004 by DK

19 Caching

The generated page contains the <img> element with a src of the current URI. This is a problem. It has already been retrieved, namely as the current page, with a type of text/html. You need to explicitly make sure the generated page sends headers to disable any cache of it.

posted at 04:57 pm on July 13, 2004 by Roger

20 Ethical implications

Directly after ready this article two things came to mind:

Firstly this would force the people who want to display our images on their sites to directly copy our image to their servers which by all accounts could be breaking copy right law even if it was purely for reference purposes and they gave full credit and linkage to our site, these same actions would also result in duplicates of the image cropping up all over the web.

This goes against the idea of such technologies as bit torrent where by when the demand for a file drops one kind individual keeps a torrent open so as to ensure every use can gain quick and easy access, instead it is being suggested that expect other people to host our content.

Secondly there is the problem of people who want to make reference to and image that we host but are unable to ever host it of embed it, such as in a bulletin board that does not allow ht ml or images.

posted at 05:10 pm on July 13, 2004 by Arran