If I fully understood the question, then yes, what you propose will likely fix the problem.

The best thing to do is to add the code, then remotely test every URL permutation that you can think of (both valid and non-valid ones) and record what happens.

My images are generated by php.

Because the filename extension is in the output string (as shown in my original post) and not at the end of the string (like a normal image file), htaccess doesn't consider it an image file, and thus allows people to hotlink it.

The best thing to do is to add the code, then remotely test every URL permutation that you can think of

I figured adding code would stop the problem, but I cannot figure out what type of code to use. :)

If people are hotlinking your images like this

http://www.example.com/product_thumb.php?img=images/image_name.jpg&w=99&h=100

then you should have some hotlink protection in your product_thumb.php, like checking referer for image access.

Else if they are directly linking like this

http://www.example.com/images/image_name.jpg

then your rewrite rule should work fine.

Milan

If people are hotlinking your images like this

http://www.example.com/product_thumb.php?img=images/image_name.jpg&w=99&h=100

then you should have some hotlink protection in your product_thumb.php, like checking referer for image access.

Yes, that's exactly my problem. Though I am not sure what type of coding to use that would not break the functionality of the thumbnail generation and use on my website.

Basically I would only like to allow my website (of course) and blank referrers to access the files as hotlinked. Is there an example script or tutorial I could read that would give me an idea of how to approach this?

I am not the best coder, as you can probably tell from the type of questions I ask at WebmasterWorld. :)

Just add another rule to prevent the script from being hotlinked with any img= parameter:

RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
RewriteRule \.(gif¦jpe?g¦bmp¦mp3)$ - [NC,F]
#
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
RewriteCond %{QUERY_STRING} &?img=[^&]+ [NC]
RewriteRule ^product_thumb\.php$ - [F]

I took the liberty of cleaning up the code and changing the redirect to a simple 403-Forbidden response; It's not a really great idea to "pass on" your hotlinkers to someone else...

Replace all broken pipe "¦" characters with solid pipe characters before use; Posting on this forum modifies the pipe characters. Flush your browser cache completely before testing any changes to your configuration code.

Jim

Thank you again. :)

I cleared my browser cache and tested the hotlinking. It seems to only work against https calls, is this bloating the code? (I've bolded my addition.)

RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER}!^http?://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER}!^https?://(www\.)?example\.com [NC]
RewriteRule \.(gif¦jpeg¦jpg¦bmp¦mp3)$ - [NC,F]
#
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER}!^http?://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER}!^https?://(www\.)?example\.com [NC]
RewriteCond %{QUERY_STRING} &?img=[^&]+ [NC]
RewriteRule ^product_thumb\.php$ - [F]

When I add those lines, my capability of stealing any images via http request is denied with a broken image. Would just like to know if I approached it correctly.