Password protect jpgs?

Re: Password protect jpgs?

Michael Vilain wrote:[color=blue]
> In article <e562u7$1sf$1@y ggdrasil.glocal net.net>,
> "Garry Jones" <garry.jones@mo rack.se> wrote:
>[color=green]
>> I need to create a page with a password where I show photos. How do I stop
>> people from accessing the jpgs directly without going through the password
>> function.
>>
>> I am using Windows XP and have a website which supports Mysql and php.
>>
>> The end result should be a page where the user can type in a password and
>> access a few pages of thumbnails which can be clicked for enlargements.
>>
>> Garry Jones
>> Sweden[/color]
>
> You might be able to put the images in a directory not directly in the
> web server's document directory, then write a php page that, given the
> name of the file in either a GET or POST argument will open the image
> file, send the correct header, and display the image. Be sure to
> properly check for path injection and non-image filenames, so they can't
> display stuff they shouldn't be able to. Don't allow wildcards on
> filenames.
>
> Or stuff the image in a MySQL database BLOB and pull it out using a php
> page.
>[/color]
As a further idea, and one that I have used..

Don't use the full file name in the variables you pass, use an type
variable.

ex. get_image.php?i mg=monkeys&ext= 1 (would pull monkeys.jpg)
get_image.php?i mg=monkeys&ext= 2 (would pull monkeys.tif)
get_image.php?i mg=monkeys&ext= 3 (would pull monkeys_thumb.j pg) -
you can use the ext to add whatever extension you want (and change them
later if you move files around.. ext=4 could prepend the monkeys part
with "/imagedir/", or whatever you want.

I did this on a page that pulled in multiple file types for templates.
It allowed me to force an extension on any user submitted data. This
was combined with filtering of the content for ANY '.' which is how most
injections worked. (Just don't use image names w/ periods in them).

After filtering the input, I check against a valid file type, default to
'1', and then do a @file_exists as the last sanity check.

-- Steve

Re: Password protect jpgs?

I use this way:
<?php
session_start() ;
if ($_SESSION['logged_in']) { // Change this to your password code...
header ('Content-Type: image/jpeg');
readfile ('image_secret_ folder_123/' . $_GET['picname'] . '.jpg');
exit;
}
echo 'you don\'t have permission to watch this picture.';
?>

Re: Password protect jpgs?

the DtTvB wrote:
[color=blue]
> 'image_secret_f older_123/'[/color]

Your secret folder doesn't need to be secret. The name can be as public as
you want it -- just make sure that you use an Apache "Deny" directive to
deny direct access to the images.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Re: Password protect jpgs?

Am Sun, 28 May 2006 22:43:32 +0100 schrieb Toby Inkster:
[color=blue]
> From: Toby Inkster <usenet200605@t obyinkster.co.u k>
> Newsgroups: comp.lang.php
> Subject: Re: Password protect jpgs?
> Date: Sun, 28 May 2006 22:43:32 +0100
> Lines: 12
> Message-ID: <45ipk3-38o.ln1@ophelia .g5n.co.uk>
> References: <e562u7$1sf$1@y ggdrasil.glocal net.net> <1148785932.832 004.148520@j55g 2000cwa.googleg roups.com>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> X-Trace: individual.net t1zev2TfVPM8KKx 8lseyFwW8+88BH1 +c7eHWf2kRSG6xr KH/o=
> X-Orig-Path: ophelia.g5n.co. uk!news
> User-Agent: Pan/0.14.2.91 (As She Crawled Across the Table)
> X-URI: http://tobyinkster.co.uk/
> Path: news.tiscalinet .ch!newsfeed.ti scali.ch!fu-berlin.de!uni-berlin.de!indiv idual.net!not-for-mail
> Xref: news.tiscalinet .ch comp.lang.php:1 12969
>
> the DtTvB wrote:
>[color=green]
>> 'image_secret_f older_123/'[/color]
>
> Your secret folder doesn't need to be secret. The name can be as public as
> you want it -- just make sure that you use an Apache "Deny" directive to
> deny direct access to the images.[/color]


You may also try protecting the directory via .htaccess

Re: Password protect jpgs?

- wrote:[color=blue]
> Am Sun, 28 May 2006 22:43:32 +0100 schrieb Toby Inkster:
>[color=green]
>> Mime-Version: 1.0
>> Content-Type: text/plain; charset=UTF-8
>> Content-Transfer-Encoding: 8bit[/color][/color]

There is such a thing as excessive quoting!

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact