Welcome to WebmasterWorld Guest from 54.159.190.106

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Hotlinking images but people are using PHP to do it.

   
4:38 am on Jul 29, 2007 (gmt 0)

5+ Year Member



I use a php script to generate thumbnails for my images.

So my thumbnail URLs look like:
http;//www.somesite.com/product_thumb.php?img=images/image_name.jpg&w=99&h=100

Currently, I use htaccess to disable hotlinking like this:

RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?somesite.com(/)?.*$ [NC]
RewriteCond %{HTTP_REFERER}!^https://(www\.)?somesite.com(/)?.*$ [NC]
RewriteRule .*\.(gif¦jpg¦jpeg¦bmp¦mp3)$ http[:]//someotherwebsite/dontsteal.gif [R,NC]

could I simply add php to:
RewriteRule .*\.(gif¦jpg¦jpeg¦bmp¦mp3¦php)$

and have it work?
Presently, I use php, but all of my urls are rewritten via mod_rewrite to have a .html extension.

...OR is there something in the script (product_thumb.php) I can add to prevent hotlinking of the thumbnails?

5:20 pm on Jul 29, 2007 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



If I fully understood the question, then yes, what you propose will likely fix the problem.

The best thing to do is to add the code, then remotely test every URL permutation that you can think of (both valid and non-valid ones) and record what happens.

8:56 pm on Jul 29, 2007 (gmt 0)

5+ Year Member



My images are generated by php.

Because the filename extension is in the output string (as shown in my original post) and not at the end of the string (like a normal image file), htaccess doesn't consider it an image file, and thus allows people to hotlink it.

The best thing to do is to add the code, then remotely test every URL permutation that you can think of

I figured adding code would stop the problem, but I cannot figure out what type of code to use. :)
9:48 am on Jul 30, 2007 (gmt 0)

5+ Year Member



If people are hotlinking your images like this

http://www.example.com/product_thumb.php?img=images/image_name.jpg&w=99&h=100

then you should have some hotlink protection in your product_thumb.php, like checking referer for image access.

Else if they are directly linking like this

http://www.example.com/images/image_name.jpg

then your rewrite rule should work fine.

Milan

8:38 pm on Aug 1, 2007 (gmt 0)

5+ Year Member



If people are hotlinking your images like this

http://www.example.com/product_thumb.php?img=images/image_name.jpg&w=99&h=100

then you should have some hotlink protection in your product_thumb.php, like checking referer for image access.


Yes, that's exactly my problem. Though I am not sure what type of coding to use that would not break the functionality of the thumbnail generation and use on my website.

Basically I would only like to allow my website (of course) and blank referrers to access the files as hotlinked. Is there an example script or tutorial I could read that would give me an idea of how to approach this?

I am not the best coder, as you can probably tell from the type of questions I ask at WebmasterWorld. :)

10:49 pm on Aug 1, 2007 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Just add another rule to prevent the script from being hotlinked with any img= parameter:

RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
RewriteRule \.(gif¦jpe?g¦bmp¦mp3)$ - [NC,F]
#
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
RewriteCond %{QUERY_STRING} &?img=[^&]+ [NC]
RewriteRule ^product_thumb\.php$ - [F]

I took the liberty of cleaning up the code and changing the redirect to a simple 403-Forbidden response; It's not a really great idea to "pass on" your hotlinkers to someone else...

Replace all broken pipe "¦" characters with solid pipe characters before use; Posting on this forum modifies the pipe characters. Flush your browser cache completely before testing any changes to your configuration code.

Jim

4:30 pm on Aug 2, 2007 (gmt 0)

5+ Year Member



Thank you again. :)

I cleared my browser cache and tested the hotlinking. It seems to only work against https calls, is this bloating the code? (I've bolded my addition.)


RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER}!^http?://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER}!^https?://(www\.)?example\.com [NC]
RewriteRule \.(gif¦jpeg¦jpg¦bmp¦mp3)$ - [NC,F]
#
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER}!^http?://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER}!^https?://(www\.)?example\.com [NC]
RewriteCond %{QUERY_STRING} &?img=[^&]+ [NC]
RewriteRule ^product_thumb\.php$ - [F]

When I add those lines, my capability of stealing any images via http request is denied with a broken image. Would just like to know if I approached it correctly.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month