• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Preventing direct access to images... or something...?

#11
[eluser]Jim OHalloran[/eluser]
[quote author="crikey" date="1189011132"]I guess it raises the issue though of serving the public/private images as part of an HTML page (in this case the image content itself wouldn't be output, rather a link to it, as in
Code:
<img src=... />
[/quote]Once the images are outside the webroot you'll need to have a script which sends the images to the browser, which gives you the opportunity you need to do your access checks. If you used a URL like this in your image tags:
Code:
<img src="http://my-site.com/images/serve/1234">
You could create a controller called images, and include a function like this....
Code:
function serve($image_id) {
  // Do access checks here...

  // If access is allowed, figure out where the real image is from the image id...

  // Output the image...
  header('Content-Type: image/jpeg');
  echo(file_get_contents($actual_path_to_image));
}
You can use the routes.php file to make the image URL a bit shorter if you like, but that gives you the idea.

Jim.

#12
[eluser]crikey[/eluser]
Awesomely cool! Thanks Jim.

I also found a tutorial on the O'Reilly ONLamp site that covers this technique (although the image data is stored in a DB). The only other question I had was if using the controller/method/id URL for the source will still work OK (ie would CI still handle it). But you've answered that too!

Cheers Smile

#13
[eluser]Jim OHalloran[/eluser]
[quote author="crikey" date="1189060510"]I also found a tutorial on the O'Reilly ONLamp site that covers this technique (although the image data is stored in a DB).[/quote]You can store images in the database, and that has some advantages if the images are related to database updates that might take place in a transaction (i.e. you can roll back image updates with the rest of the transaction easily). In general terms though it's more efficient to store the images on the filesystem, there's less overhead involved.[quote author="crikey" date="1189060510"]The only other question I had was if using the controller/method/id URL for the source will still work OK (ie would CI still handle it). But you've answered that too![/quote]The issue isn't actually CI, it just handles the image request the same as any normal page request. The main thing is actually the browser end. You need to make sure you send the appropriate content type header, otherwise the browser won't interpret the data it receives as an image. You also need to ensure that only the image data is ever sent to the browser. Make sure there's no error messages, PHP wranings, etc coming from the script. Otherwise the browser will (quite rightly) treat it as a broken image.

Jim.

#14
[eluser]Crafter[/eluser]
I've looked at this issue for one of my projects and found the solution Jim and Rojerb described as the best option. I second that.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.