homepage Welcome to WebmasterWorld Guest from 54.237.38.30
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
PHP file that renders image - Need domain check
Need a check to see if the image is being serverd from my domain.
HappyJupiter



 
Msg#: 4304322 posted 6:38 pm on Apr 26, 2011 (gmt 0)

Hello all!

Thanks for taking the time to read my question.

Ok, so here it is:

I have a php file that renders images (based on a number of criteria). I want to put a check inside this file that makes sure that the image is only displayed if it is on my my domain. (I don't want people to embed the images created on my server on any other site)

If this image is displayed on another domain (ie: using an <img> tag) then the check in the script will be tripped and the resulting image can simply have 'image not available' or whatever I decide will be best.

I've tried a few things like $_SERVER['SERVER_NAME'], $_SERVER['HTTP_REFERER'] but none seem to return the domain of the serving site, just returns my domain.

Any ideas?

Thanks a bundle!

 

Demaestro

WebmasterWorld Senior Member demaestro us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4304322 posted 6:50 pm on Apr 26, 2011 (gmt 0)

You can check if your domain appears in the string of the file location.

$img_src = '/path/to/the/image/';
$req_domain = 'example.com';

if(strpos($img_src, $req_domain){
echo 'domain in source';
}else{
echo 'domain NOT in source';
}

The problem with this is if the made a dir with your domain as the name and put the images in there this would pass, but it would be incorrect.

For example, if they did this it would fool your script.

img_src = 'fakedomain.com/example.com/image_name

However I wouldn't worry about that too much, they would need to see your code to know that this would fool it.

You can also do things like check the position of the domain to see if it is at the start of the string not in the middle.

The code I provided should get you started. I am guessing a well built regex would do the trick as well, but my regex is weak.

The_Hat

10+ Year Member



 
Msg#: 4304322 posted 8:01 pm on May 4, 2011 (gmt 0)

What about placing that php script inside of, for instance, the includes directory of the site and then drop an htaccess in that folder to disallows access to them from any where other than your domain?.. that's how I handle it.

rocknbil

WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4304322 posted 5:01 pm on May 5, 2011 (gmt 0)

A similar solution . . .

$img_src = '/path/to/the/image/';

if(is_file($img_src)){
echo 'it is on our server';
}else{
echo 'it is not on our server';
}

Eliminate environment variables entirely, just check that the file is on your system. This may have other uses anyway, for example, to output the width and height attributes of an image in the source code, you need to read the image with ImageMagick or GD, and before you do that you have to check that it exists.


if (is_file($path)) {
$image = new Imagick($path);
$width = $image->getImageWidth();
$height = $image->getImageHeight();
$img_str = "<a href=\"$enlarge\" title=\"" . $row['title'] . "\">
<img src=\"$img_url\" width=\"$width\" height=\"$height\" border=\"0\" alt=\"" . $row['title'] . "\"></a>";
}
else { $img_str = "<img src=\"$alternate_image\" alt=\"Only images on our server allowed\">"; }

topr8

WebmasterWorld Senior Member topr8 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4304322 posted 5:24 pm on May 5, 2011 (gmt 0)

am i missing the point here, the OP has basically asked how to prevent hotlinking.

The_Hat gave a good answer.

however i'm unsure why $_SERVER['HTTP_REFERER'] in your script isn't giving the refering page - i'm sure you're testing the image being called from a different domain than your own in order to check this?

rocknbil

WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4304322 posted 10:03 pm on May 5, 2011 (gmt 0)

Sounded a little different than hotlinking . . .

I have a php file that renders images (based on a number of criteria). I want to put a check inside this file that makes sure that the image is only displayed if it is on my my domain.


In other words, the reverse of a hot link. :-)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved