PHP file that renders image - Need domain check - PHP Server Side Scripting forum at WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

PHP file that renders image - Need domain check

Need a check to see if the image is being serverd from my domain.

HappyJupiter

6:38 pm on Apr 26, 2011 (gmt 0)

Hello all!

Thanks for taking the time to read my question.

Ok, so here it is:

I have a php file that renders images (based on a number of criteria). I want to put a check inside this file that makes sure that the image is only displayed if it is on my my domain. (I don't want people to embed the images created on my server on any other site)

If this image is displayed on another domain (ie: using an <img> tag) then the check in the script will be tripped and the resulting image can simply have 'image not available' or whatever I decide will be best.

I've tried a few things like $_SERVER['SERVER_NAME'], $_SERVER['HTTP_REFERER'] but none seem to return the domain of the serving site, just returns my domain.

Any ideas?

Thanks a bundle!

Demaestro

6:50 pm on Apr 26, 2011 (gmt 0)

You can check if your domain appears in the string of the file location.

$img_src = '/path/to/the/image/';
$req_domain = 'example.com';

if(strpos($img_src, $req_domain){
echo 'domain in source';
}else{
echo 'domain NOT in source';
}

The problem with this is if the made a dir with your domain as the name and put the images in there this would pass, but it would be incorrect.

For example, if they did this it would fool your script.

img_src = 'fakedomain.com/example.com/image_name

However I wouldn't worry about that too much, they would need to see your code to know that this would fool it.

You can also do things like check the position of the domain to see if it is at the start of the string not in the middle.

The code I provided should get you started. I am guessing a well built regex would do the trick as well, but my regex is weak.

The_Hat

8:01 pm on May 4, 2011 (gmt 0)

What about placing that php script inside of, for instance, the includes directory of the site and then drop an htaccess in that folder to disallows access to them from any where other than your domain?.. that's how I handle it.

rocknbil

5:01 pm on May 5, 2011 (gmt 0)

A similar solution . . .

$img_src = '/path/to/the/image/';

if(is_file($img_src)){
echo 'it is on our server';
}else{
echo 'it is not on our server';
}

Eliminate environment variables entirely, just check that the file is on your system. This may have other uses anyway, for example, to output the width and height attributes of an image in the source code, you need to read the image with ImageMagick or GD, and before you do that you have to check that it exists.


if (is_file($path)) { 
 $image = new Imagick($path); 
 $width = $image->getImageWidth(); 
 $height = $image->getImageHeight(); 
 $img_str = "<a href=\"$enlarge\" title=\"" . $row['title'] . "\"> 
 <img src=\"$img_url\" width=\"$width\" height=\"$height\" border=\"0\" alt=\"" . $row['title'] . "\"></a>"; 
} 
else { $img_str = "<img src=\"$alternate_image\" alt=\"Only images on our server allowed\">"; }

topr8

5:24 pm on May 5, 2011 (gmt 0)

am i missing the point here, the OP has basically asked how to prevent hotlinking.

The_Hat gave a good answer.

however i'm unsure why $_SERVER['HTTP_REFERER'] in your script isn't giving the refering page - i'm sure you're testing the image being called from a different domain than your own in order to check this?

rocknbil

10:03 pm on May 5, 2011 (gmt 0)

Sounded a little different than hotlinking . . .

I have a php file that renders images (based on a number of criteria). I want to put a check inside this file that makes sure that the image is only displayed if it is on my my domain.

In other words, the reverse of a hot link. :-)