+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Good solution for protecting image files in folder (/showthread.php?tid=27583)
Good solution for protecting image files in folder - El Forum - 02-15-2010
[eluser]esset[/eluser]
I just tried this one two, didn't work: http://www.xaviermedia.com/webbing/2008/01/27/protect-your-pictures-and-prevent-bandwidth-theft/
Can my server somehow be missconfiged? Shouldn't since for example mod_rewrite works.
Good solution for protecting image files in folder - El Forum - 02-15-2010
[eluser]cahva[/eluser]
You said the magic phrase "deny from all" already
Use that. When you have deny from all, you can access those files only from the filesystem(like for example PHP).EDIT - and to be more clear, put .htaccess to the image folder with this content:
Quote:Deny from all
Thats it.
Good solution for protecting image files in folder - El Forum - 02-15-2010
[eluser]esset[/eluser]
Hi cahva, what would I add to my .htaccess (see above) for that to work?
I'm a little green when it comes to extending .htaccess
Thanks
Good solution for protecting image files in folder - El Forum - 02-15-2010
[eluser]cahva[/eluser]
You were fast
Ok. You dont have to edit your existing .htaccess, you can have different .htaccess in different folders.
Good solution for protecting image files in folder - El Forum - 02-15-2010
[eluser]esset[/eluser]
Oops that made it a little to good
It worked, but now the site itself also gets refused the images.
Can I add some sort of "allow from this domain" type of thing?
I just tried...
Code:
order deny,allow
deny from all
allow from 0.0.0.0...but didn't work. same result as above.
Good solution for protecting image files in folder - El Forum - 02-15-2010
[eluser]esset[/eluser]
Okay I think the problem lies within my mod_rewrite rule. After RewriteRule the [L] stands for "Last" which would "kill" everything else.
Is there a way for me to run the "prevent-hotlinking-of-images" before my rewriterule to send everything to index.php?
Btw laytone: I added in "options -indexes" into my .htaccess before the mod_rewrite and it now prevents direct access to directories
but still doesn't for files.Thanks all
Good solution for protecting image files in folder - El Forum - 02-15-2010
[eluser]esset[/eluser]
This did not work:
Code:
Options -Indexes
Options +FollowSymlinks
RewriteEngine On
# no hot-linking
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.se/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(gif|png) [NC]
RewriteRule .*\.(gif|jpg|png)$ http://domain.se/hotlink.png [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]Good solution for protecting image files in folder - El Forum - 02-21-2010
[eluser]esset[/eluser]
Anyone that has any other ideas regarding this matter?
No one used the mod_rewrite command together with trying to secure images from being accessed directly?
Thanks
Good solution for protecting image files in folder - El Forum - 02-21-2010
[eluser]slowgary[/eluser]
I would put the images directory above the webroot, then never allow direct access, even from your own site. To access images, use an images controller that fetches them from their folder, checking referrer or some sort of auth permissions on each retrieval.
So if your site's directory structure looked like this:
/root
'-/images
'-/www
Then somewhere in your www you've got your CI installation. You'd write a controller with a function similar to this:
Code:
class Images extends Controller
{
function _remap($filename)
{
//you'd want to do some sort of regex on the filename for security
if( filename matches regex )
{
if(file_exists('/images/'.$filename))
{
echo file_get_contents($filename);
}
}
}
}This would make it so that your controller is now the only "entrance way" to your images, like a castle with a moat and drawbridge. The next step would be to add some soldiers to your controller, either by checking the $_SERVER['HTTP_REFERER'] (but this can be spoofed), or by checking to see if the user is logged in, or by concocting some sort of time-sensitive unique ID or something to guarantee that people are only accessing images when you want them to. That really depends on your application.
I hope this helps.
EDIT: If your host doesn't allow you to place directories above the webroot, you could indeed use an .htaccess, but .htaccess in itself will not solve your problem, because if you deny all users from access the directory and it's files, I think it will also deny them from seeing those images on one of your pages. And ultimately, if someone can view one of your images on your page, they can just copy whatever URL the image resides at and use it on their own pages as well. You'd really need to do something like above and check the referrer... also, this lets you do some nice things like return another image if the referrer doesn't match, e.g. "This image was stolen from mysite.com".
Good solution for protecting image files in folder - El Forum - 02-21-2010
[eluser]esset[/eluser]
So how would I link to my images for my own site?
Thanks for the help
EDIT: Will this way effect performance of displaying images(?)