Welcome to WebmasterWorld Guest from 54.221.9.209

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP file that renders image - Need domain check

Need a check to see if the image is being serverd from my domain.

     
6:38 pm on Apr 26, 2011 (gmt 0)

New User

5+ Year Member

joined:Aug 14, 2010
posts: 8
votes: 0


Hello all!

Thanks for taking the time to read my question.

Ok, so here it is:

I have a php file that renders images (based on a number of criteria). I want to put a check inside this file that makes sure that the image is only displayed if it is on my my domain. (I don't want people to embed the images created on my server on any other site)

If this image is displayed on another domain (ie: using an <img> tag) then the check in the script will be tripped and the resulting image can simply have 'image not available' or whatever I decide will be best.

I've tried a few things like $_SERVER['SERVER_NAME'], $_SERVER['HTTP_REFERER'] but none seem to return the domain of the serving site, just returns my domain.

Any ideas?

Thanks a bundle!
6:50 pm on Apr 26, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 15, 2003
posts:2606
votes: 0


You can check if your domain appears in the string of the file location.

$img_src = '/path/to/the/image/';
$req_domain = 'example.com';

if(strpos($img_src, $req_domain){
echo 'domain in source';
}else{
echo 'domain NOT in source';
}

The problem with this is if the made a dir with your domain as the name and put the images in there this would pass, but it would be incorrect.

For example, if they did this it would fool your script.

img_src = 'fakedomain.com/example.com/image_name

However I wouldn't worry about that too much, they would need to see your code to know that this would fool it.

You can also do things like check the position of the domain to see if it is at the start of the string not in the middle.

The code I provided should get you started. I am guessing a well built regex would do the trick as well, but my regex is weak.
8:01 pm on May 4, 2011 (gmt 0)

Full Member

10+ Year Member

joined:Mar 8, 2003
posts:234
votes: 0


What about placing that php script inside of, for instance, the includes directory of the site and then drop an htaccess in that folder to disallows access to them from any where other than your domain?.. that's how I handle it.
5:01 pm on May 5, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


A similar solution . . .

$img_src = '/path/to/the/image/';

if(is_file($img_src)){
echo 'it is on our server';
}else{
echo 'it is not on our server';
}

Eliminate environment variables entirely, just check that the file is on your system. This may have other uses anyway, for example, to output the width and height attributes of an image in the source code, you need to read the image with ImageMagick or GD, and before you do that you have to check that it exists.


if (is_file($path)) {
$image = new Imagick($path);
$width = $image->getImageWidth();
$height = $image->getImageHeight();
$img_str = "<a href=\"$enlarge\" title=\"" . $row['title'] . "\">
<img src=\"$img_url\" width=\"$width\" height=\"$height\" border=\"0\" alt=\"" . $row['title'] . "\"></a>";
}
else { $img_str = "<img src=\"$alternate_image\" alt=\"Only images on our server allowed\">"; }
5:24 pm on May 5, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2002
posts:3171
votes: 8


am i missing the point here, the OP has basically asked how to prevent hotlinking.

The_Hat gave a good answer.

however i'm unsure why $_SERVER['HTTP_REFERER'] in your script isn't giving the refering page - i'm sure you're testing the image being called from a different domain than your own in order to check this?
10:03 pm on May 5, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


Sounded a little different than hotlinking . . .

I have a php file that renders images (based on a number of criteria). I want to put a check inside this file that makes sure that the image is only displayed if it is on my my domain.


In other words, the reverse of a hot link. :-)