Welcome to WebmasterWorld, Joe_frog!

If you were able to get the images via browsing, then it wouldn't be secure.
The only way you'll be able to get them is if you use a script to read the image files and serve them to the browser.
Have a look at the Image Functions [php.net]

One part that isn't terribly clear is that in the html for the page on which you want to display the image, you do something like this:

<img src="imagescript.php?image=flower.jpg">

Then you write imagescript.php to get the file name from $_GET['image'] and use the appropriate image functions to read the file and send it to the browser. It's also important that imagescript send the right header for an image, and of course it wouldn't send any html whatsoever. For security purposes, you should examine the image name that's sent to the script to make sure it doesn't have any surprises, for example, I would suggest you keep the images in one directory and then disallow slashes. If you make them all the same type you can also disallow periods & extensions, adding those in via the script.

Hi Cameraman

Thanks for the welcome :) very kind.

Followed your advice - managed to get the images displayed, pulling them from the root folder. To save hassle on all the get/?add-ons I just put all the info in sessions before the php call and used them when inside. I'm just very wary about using any $_GETs.

Again big thanks - you saved me major pain and many hours of practising my swear words.

Later

:)

Awesome!
Yeah, more and more I've been favoring session for that sort of stuff, too. For images I've also put the image names I'm "allowing" in an array and then pass the array index on the query string - on the script side I do intval() and range check it.