is an image embedded in a webpage?

Re: is an image embedded in a webpage?

yawnmoth wrote:[color=blue]
> i've written a php script that generates images dynamically, via the
> GD library. i now want to detect whether or not the image is embedded
> within a homepage, or is being viewed by itself. at first, i thought
> that whether or not HTTP_SERVER_VAR S['REFERER'] was set, that it would
> mean that the image was embedded, but that's not necessarily the case,
> as it will also be set if it's just linked to from the webpage. so,
> any ideas?[/color]

$_SESSION['embed_time'] = time();
echo '<img src="img.php">' ;


and in img.php

define('MAX_SEC ONDS_FOR_EMBEDD ED_IMAGES', 10);
if (isset($_SESSIO N['embed_time']) &&
$_SESSION['embedded']+MAX_SECONDS_FO R_EMBEDDED_IMAG ES < time()) {
// image is embedded
} else {
// image is not embedded
}

HTH
--
USENET would be a better place if everybody read: : mail address :
http://www.catb.org/~esr/faqs/smart-questions.html : is valid for :
http://www.netmeister.org/news/learn2quote2.html : "text/plain" :
http://www.expita.com/nomime.html : to 10K bytes :

Re: is an image embedded in a webpage?

"Pedro Graca" <hexkid@hotpop. com> wrote in message
news:2heqh5Fc23 7lU1@uni-berlin.de...[color=blue]
> yawnmoth wrote:[color=green]
> > i've written a php script that generates images dynamically, via the
> > GD library. i now want to detect whether or not the image is embedded
> > within a homepage, or is being viewed by itself. at first, i thought
> > that whether or not HTTP_SERVER_VAR S['REFERER'] was set, that it would
> > mean that the image was embedded, but that's not necessarily the case,
> > as it will also be set if it's just linked to from the webpage. so,
> > any ideas?[/color]
>
> $_SESSION['embed_time'] = time();
> echo '<img src="img.php">' ;
>
>
> and in img.php
>
> define('MAX_SEC ONDS_FOR_EMBEDD ED_IMAGES', 10);
> if (isset($_SESSIO N['embed_time']) &&
> $_SESSION['embedded']+MAX_SECONDS_FO R_EMBEDDED_IMAG ES < time()) {
> // image is embedded
> } else {
> // image is not embedded
> }
>[/color]

Won't it be easier if you just set a flag in the PHP script that generates
the <img> tag and unset it in the script that generates the image?

Re: is an image embedded in a webpage?

Chung Leong wrote:[color=blue]
> "Pedro Graca" <hexkid@hotpop. com> wrote in message
> news:2heqh5Fc23 7lU1@uni-berlin.de...[color=green]
>> yawnmoth wrote:[color=darkred]
>> > i've written a php script that generates images dynamically, via the
>> > GD library. i now want to detect whether or not the image is embedded
>> > within a homepage, or is being viewed by itself. at first, i thought
>> > that whether or not HTTP_SERVER_VAR S['REFERER'] was set, that it would
>> > mean that the image was embedded, but that's not necessarily the case,
>> > as it will also be set if it's just linked to from the webpage. so,
>> > any ideas?[/color]
>>
>> $_SESSION['embed_time'] = time();
>> echo '<img src="img.php">' ;
>>
>>
>> and in img.php
>>
>> define('MAX_SEC ONDS_FOR_EMBEDD ED_IMAGES', 10);
>> if (isset($_SESSIO N['embed_time']) &&
>> $_SESSION['embedded']+MAX_SECONDS_FO R_EMBEDDED_IMAG ES < time()) {[/color][/color]
# ____________ ^^^^^^^^ _____
# ___________ embed_time ____[color=blue][color=green]
>> // image is embedded
>> } else {
>> // image is not embedded
>> }
>>[/color]
>
> Won't it be easier if you just set a flag in the PHP script that generates
> the <img> tag and unset it in the script that generates the image?[/color]

Yes, it will :)
Thank you for pointing that out.

--
USENET would be a better place if everybody read: : mail address :
http://www.catb.org/~esr/faqs/smart-questions.html : is valid for :
http://www.netmeister.org/news/learn2quote2.html : "text/plain" :
http://www.expita.com/nomime.html : to 10K bytes :

Re: is an image embedded in a webpage?

yawnmoth wrote:
[color=blue]
> at first, i thought
> that whether or not HTTP_SERVER_VAR S['REFERER'] was set, that it would
> mean that the image was embedded, but that's not necessarily the case,
> as it will also be set if it's just linked to from the webpage. so,
> any ideas?[/color]

Check the value of REFERER. If I remember rightly, it will point to the
URL of the page that called it. If the domain in the URL is yours, then
your page is calling it. If the domain in the URL is someone else's,
then you're not the one calling it. You can probably ban other sites
from generating the image this way. (Unless it's a dynamic image,
they'll just copy and save it to their site by right-clicking in their
browser, then put it on their site without referring to your script at all.)
--
Bob
London, UK
echo Mail fefsensmrrjyahe eoceoq\! | tr "jefroq\!" "@obe.uk"

Re: is an image embedded in a webpage?

"Pedro Graca" <hexkid@hotpop. com> wrote in message
news:2hfhfgFcde 90U1@uni-berlin.de...[color=blue][color=green]
> > Won't it be easier if you just set a flag in the PHP script that[/color][/color]
generates[color=blue][color=green]
> > the <img> tag and unset it in the script that generates the image?[/color]
>
> Yes, it will :)
> Thank you for pointing that out.[/color]

It breaks the capabilities to serve files to multiple users at once:

00:00:00.00 -- User 1 requests home page - Flag gets set
00:00:00.25 -- User 2 requests home page - Flag gets set
00:00:00.50 -- User 1 requests image - Flag gets unset
00:00:00.75 -- User 2 requests image - Flag is unset, so request is denied

It doesn't work to switch to an instance counter. Your counter will get
messed up.

Example 1: User is browsing without images turned on, so the counter gets
incremented by the home page script but never decremented. You now have a
counter that is too high. If this happens regularly, people can still
request the image without hitting the home page, since the counter will have
stored displays that weren't used.

Example 2: Image transfer fails for some reason, so the browser requests it
twice. Now your counter is too low and someone's request is going to fail.

Possible solutions:

* Use a time-based value in the image file name and allow access for a
certain period of time based on that value.
* Use sessions and store the flag that was set by the main page as a session
variable. This makes it independent for each user and eliminates the
scenarios above, when coded correctly.

Steve
--
Steven C. Gallafent - The Computer Guy, Inc.
steve@compguy.c om - http://www.compguy.com/

Re: is an image embedded in a webpage?

>> at first, i thought[color=blue][color=green]
>> that whether or not HTTP_SERVER_VAR S['REFERER'] was set, that it would
>> mean that the image was embedded, but that's not necessarily the case,
>> as it will also be set if it's just linked to from the webpage. so,
>> any ideas?[/color]
>
>Check the value of REFERER.[/color]

That value comes from the browser, so it's easily fakable and
about as useful for security as a vault door made out of one
layer of toilet paper.
[color=blue]
>If I remember rightly, it will point to the
>URL of the page that called it.[/color]

Unless the legitimate user's browser strips it out.
Then you may lose a paying customer.
[color=blue]
>If the domain in the URL is yours, then
>your page is calling it. If the domain in the URL is someone else's,
>then you're not the one calling it. You can probably ban other sites
>from generating the image this way. (Unless it's a dynamic image,
>they'll just copy and save it to their site by right-clicking in their
>browser, then put it on their site without referring to your script at all.)[/color]

If it *IS* a dynamic image, they'll save it anyway. They don't
have to use a conventional (mouseful) browser at all.

For example, on FreeBSD (probably Linux also, and there's no reason
there couldn't be a Windows version):

% setenv HTTP_REFERER http://www.porn.com/hotstuff/index.html
(or anything else I feel like)
% fetch -o hotporn37.jpg http://www.porn.com/hotstuff/hotporn37.jpg


oh, yes, I can also setenv HTTP_REFERER to "auto" and fetch will
set HTTP_REFERER to the URL of the image I'm trying to fetch, so
I don't have to bother re-setting it for each image I steal.

Gordon L. Burditt

Re: is an image embedded in a webpage?

Pedro Graca <hexkid@hotpop. com> wrote in message news:<2heqh5Fc2 37lU1@uni-berlin.de>...[color=blue]
> <snip>
>
> $_SESSION['embed_time'] = time();
> echo '<img src="img.php">' ;
>
>
> and in img.php
>
> define('MAX_SEC ONDS_FOR_EMBEDD ED_IMAGES', 10);
> if (isset($_SESSIO N['embed_time']) &&
> $_SESSION['embedded']+MAX_SECONDS_FO R_EMBEDDED_IMAG ES < time()) {
> // image is embedded
> } else {
> // image is not embedded
> }
>
> HTH[/color]

that seems like it'd only work, though, if i had control over the page
that was loading the image. what if i don't?

so i guess what i'm asking is...

how can i tell if an image is being loaded as part of a direct link
that someone clicked on, ie:



or if it's in an html img tag, ie:

<img src='http://www.website.com/image.jpg'>

Re: is an image embedded in a webpage?

yawnmoth wrote:[color=blue]
> so i guess what i'm asking is...
>
> how can i tell if an image is being loaded as part of a direct link
> that someone clicked on, ie:
>
> http://www.website.com/image.jpg
>
> or if it's in an html img tag, ie:
>
> <img src='http://www.website.com/image.jpg'>[/color]

AFAICS you can't tell the difference between them.

For the server (www.website.com) both requests look exactly alike.
Myabe, just maybe, you can use the Referer, but as you said before, that
is not trustworthy.

--
USENET would be a better place if everybody read: : mail address :
http://www.catb.org/~esr/faqs/smart-questions.html : is valid for :
http://www.netmeister.org/news/learn2quote2.html : "text/plain" :
http://www.expita.com/nomime.html : to 10K bytes :

Re: is an image embedded in a webpage?

"Steven C. Gallafent" <steve@compguy. com> wrote in message news:<10b6n8aqt p1t270@corp.sup ernews.com>...[color=blue]
> "Pedro Graca" <hexkid@hotpop. com> wrote in message
> news:2hfhfgFcde 90U1@uni-berlin.de...[color=green][color=darkred]
> > > Won't it be easier if you just set a flag in the PHP script that[/color][/color]
> generates[color=green][color=darkred]
> > > the <img> tag and unset it in the script that generates the image?[/color]
> >
> > Yes, it will :)
> > Thank you for pointing that out.[/color]
>
> It breaks the capabilities to serve files to multiple users at once:
>
> 00:00:00.00 -- User 1 requests home page - Flag gets set
> 00:00:00.25 -- User 2 requests home page - Flag gets set
> 00:00:00.50 -- User 1 requests image - Flag gets unset
> 00:00:00.75 -- User 2 requests image - Flag is unset, so request is denied[/color]

I think, Chung is telling about setting the flag in session. In
that case, I don't see any user conflicts as you suggest 'coz session
for each users will be different. But, I agree that the solution is
not _much_ viable.

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com