[eluser]slowgary[/eluser]
I would put the images directory above the webroot, then never allow direct access, even from your own site. To access images, use an images controller that fetches them from their folder, checking referrer or some sort of auth permissions on each retrieval.
So if your site's directory structure looked like this:
/root
'-/images
'-/www
Then somewhere in your www you've got your CI installation. You'd write a controller with a function similar to this:
Code:
class Images extends Controller
{
function _remap($filename)
{
//you'd want to do some sort of regex on the filename for security
if( filename matches regex )
{
if(file_exists('/images/'.$filename))
{
echo file_get_contents($filename);
}
}
}
}
This would make it so that your controller is now the only "entrance way" to your images, like a castle with a moat and drawbridge. The next step would be to add some soldiers to your controller, either by checking the $_SERVER['HTTP_REFERER'] (but this can be spoofed), or by checking to see if the user is logged in, or by concocting some sort of time-sensitive unique ID or something to guarantee that people are only accessing images when you want them to. That really depends on your application.
I hope this helps.
EDIT: If your host doesn't allow you to place directories above the webroot, you could indeed use an .htaccess, but .htaccess in itself will not solve your problem, because if you deny all users from access the directory and it's files, I think it will also deny them from seeing those images on one of your pages. And ultimately, if someone can view one of your images on your page, they can just copy whatever URL the image resides at and use it on their own pages as well. You'd really need to do something like above and check the referrer... also, this lets you do some nice things like return another image if the referrer doesn't match, e.g. "This image was stolen from mysite.com".
