Welcome to WebmasterWorld Guest from 54.145.173.147

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP file that renders image - Need domain check

Need a check to see if the image is being serverd from my domain.

   
6:38 pm on Apr 26, 2011 (gmt 0)



Hello all!

Thanks for taking the time to read my question.

Ok, so here it is:

I have a php file that renders images (based on a number of criteria). I want to put a check inside this file that makes sure that the image is only displayed if it is on my my domain. (I don't want people to embed the images created on my server on any other site)

If this image is displayed on another domain (ie: using an <img> tag) then the check in the script will be tripped and the resulting image can simply have 'image not available' or whatever I decide will be best.

I've tried a few things like $_SERVER['SERVER_NAME'], $_SERVER['HTTP_REFERER'] but none seem to return the domain of the serving site, just returns my domain.

Any ideas?

Thanks a bundle!
6:50 pm on Apr 26, 2011 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member



You can check if your domain appears in the string of the file location.

$img_src = '/path/to/the/image/';
$req_domain = 'example.com';

if(strpos($img_src, $req_domain){
echo 'domain in source';
}else{
echo 'domain NOT in source';
}

The problem with this is if the made a dir with your domain as the name and put the images in there this would pass, but it would be incorrect.

For example, if they did this it would fool your script.

img_src = 'fakedomain.com/example.com/image_name

However I wouldn't worry about that too much, they would need to see your code to know that this would fool it.

You can also do things like check the position of the domain to see if it is at the start of the string not in the middle.

The code I provided should get you started. I am guessing a well built regex would do the trick as well, but my regex is weak.
8:01 pm on May 4, 2011 (gmt 0)

10+ Year Member



What about placing that php script inside of, for instance, the includes directory of the site and then drop an htaccess in that folder to disallows access to them from any where other than your domain?.. that's how I handle it.
5:01 pm on May 5, 2011 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



A similar solution . . .

$img_src = '/path/to/the/image/';

if(is_file($img_src)){
echo 'it is on our server';
}else{
echo 'it is not on our server';
}

Eliminate environment variables entirely, just check that the file is on your system. This may have other uses anyway, for example, to output the width and height attributes of an image in the source code, you need to read the image with ImageMagick or GD, and before you do that you have to check that it exists.


if (is_file($path)) {
$image = new Imagick($path);
$width = $image->getImageWidth();
$height = $image->getImageHeight();
$img_str = "<a href=\"$enlarge\" title=\"" . $row['title'] . "\">
<img src=\"$img_url\" width=\"$width\" height=\"$height\" border=\"0\" alt=\"" . $row['title'] . "\"></a>";
}
else { $img_str = "<img src=\"$alternate_image\" alt=\"Only images on our server allowed\">"; }
5:24 pm on May 5, 2011 (gmt 0)

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



am i missing the point here, the OP has basically asked how to prevent hotlinking.

The_Hat gave a good answer.

however i'm unsure why $_SERVER['HTTP_REFERER'] in your script isn't giving the refering page - i'm sure you're testing the image being called from a different domain than your own in order to check this?
10:03 pm on May 5, 2011 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Sounded a little different than hotlinking . . .

I have a php file that renders images (based on a number of criteria). I want to put a check inside this file that makes sure that the image is only displayed if it is on my my domain.


In other words, the reverse of a hot link. :-)