Welcome to WebmasterWorld Guest from 54.196.244.186

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Hotlinking images but people are using PHP to do it.

     
4:38 am on Jul 29, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 2, 2005
posts:505
votes: 0


I use a php script to generate thumbnails for my images.

So my thumbnail URLs look like:
http;//www.somesite.com/product_thumb.php?img=images/image_name.jpg&w=99&h=100

Currently, I use htaccess to disable hotlinking like this:

RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?somesite.com(/)?.*$ [NC]
RewriteCond %{HTTP_REFERER}!^https://(www\.)?somesite.com(/)?.*$ [NC]
RewriteRule .*\.(gif¦jpg¦jpeg¦bmp¦mp3)$ http[:]//someotherwebsite/dontsteal.gif [R,NC]

could I simply add php to:
RewriteRule .*\.(gif¦jpg¦jpeg¦bmp¦mp3¦php)$

and have it work?
Presently, I use php, but all of my urls are rewritten via mod_rewrite to have a .html extension.

...OR is there something in the script (product_thumb.php) I can add to prevent hotlinking of the thumbnails?

5:20 pm on July 29, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2002
posts:18903
votes: 0


If I fully understood the question, then yes, what you propose will likely fix the problem.

The best thing to do is to add the code, then remotely test every URL permutation that you can think of (both valid and non-valid ones) and record what happens.

8:56 pm on July 29, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 2, 2005
posts:505
votes: 0


My images are generated by php.

Because the filename extension is in the output string (as shown in my original post) and not at the end of the string (like a normal image file), htaccess doesn't consider it an image file, and thus allows people to hotlink it.

The best thing to do is to add the code, then remotely test every URL permutation that you can think of

I figured adding code would stop the problem, but I cannot figure out what type of code to use. :)
9:48 am on July 30, 2007 (gmt 0)

Full Member

10+ Year Member

joined:Jan 4, 2006
posts:307
votes: 0


If people are hotlinking your images like this

http://www.example.com/product_thumb.php?img=images/image_name.jpg&w=99&h=100

then you should have some hotlink protection in your product_thumb.php, like checking referer for image access.

Else if they are directly linking like this

http://www.example.com/images/image_name.jpg

then your rewrite rule should work fine.

Milan

8:38 pm on Aug 1, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 2, 2005
posts:505
votes: 0


If people are hotlinking your images like this

http://www.example.com/product_thumb.php?img=images/image_name.jpg&w=99&h=100

then you should have some hotlink protection in your product_thumb.php, like checking referer for image access.


Yes, that's exactly my problem. Though I am not sure what type of coding to use that would not break the functionality of the thumbnail generation and use on my website.

Basically I would only like to allow my website (of course) and blank referrers to access the files as hotlinked. Is there an example script or tutorial I could read that would give me an idea of how to approach this?

I am not the best coder, as you can probably tell from the type of questions I ask at WebmasterWorld. :)

10:49 pm on Aug 1, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Just add another rule to prevent the script from being hotlinked with any img= parameter:

RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
RewriteRule \.(gif¦jpe?g¦bmp¦mp3)$ - [NC,F]
#
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
RewriteCond %{QUERY_STRING} &?img=[^&]+ [NC]
RewriteRule ^product_thumb\.php$ - [F]

I took the liberty of cleaning up the code and changing the redirect to a simple 403-Forbidden response; It's not a really great idea to "pass on" your hotlinkers to someone else...

Replace all broken pipe "¦" characters with solid pipe characters before use; Posting on this forum modifies the pipe characters. Flush your browser cache completely before testing any changes to your configuration code.

Jim

4:30 pm on Aug 2, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 2, 2005
posts:505
votes: 0


Thank you again. :)

I cleared my browser cache and tested the hotlinking. It seems to only work against https calls, is this bloating the code? (I've bolded my addition.)


RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER}!^http?://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER}!^https?://(www\.)?example\.com [NC]
RewriteRule \.(gif¦jpeg¦jpg¦bmp¦mp3)$ - [NC,F]
#
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER}!^http?://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER}!^https?://(www\.)?example\.com [NC]
RewriteCond %{QUERY_STRING} &?img=[^&]+ [NC]
RewriteRule ^product_thumb\.php$ - [F]

When I add those lines, my capability of stealing any images via http request is denied with a broken image. Would just like to know if I approached it correctly.