Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6897
  • Last Modified:

How to hide an Image Source?

I need to hide the Image source address, to prevent it to show where it's stored.

There is no need to protect the image at all, but the source of the image is relevant, so I need to find a way how to display the image with out placing the real address on the source.

thanks

Renato Coto

0
RenatoCoto
Asked:
RenatoCoto
  • 8
  • 5
  • 4
  • +3
1 Solution
 
VGRCommented:
almost impossible

It will ALWAYS be deductible by looking properly at the HTML code

You may have a "first level" protection (hiding, rather) by using the status bar (TITLE, label, etc)

I would suggest to put a fake index.html page in the directory of the images, so that indelicate users are redirected to your real index page somewhere. Use Header("Location: ...");
0
 
PHPaulCommented:
You could make a page like this: images.php.
And refer to this page in the image tag (src):

<img src="images.php?imagename=mypicture.gif">

If you make the images.php file output as an image and load the image named $imagename, no one could see where your images are placed. You will need to put all the images in one folder (to make it more simple, it's not nessecary).

So if someone looks at the properties of an image, he/she will only see the src as images.php?imagename=mypicture.gif. They cannot find out where the image is actually located :-)
I would also use the index.html solution as VGR said. But I would use a index.php with a "page not found 404" header. This way people will think the folder doesn't excist.

Hope this helps,

--Paul
0
 
us111Commented:
something like that
<img src="images.php?f=pictures.gif">

<?
  $PATH = "/somewhere";
  if (strstr($f, ".gif"))
  { $d = fopen("PATH/$f","r");
    if (!$d)
    {     // If file cannot be read or not available ...
       header("Location: index.html");
    }
    else
    {    
       header('Content-Type: image/gif');
       header("Content-Length: ".filesize("$PATH/$f"));
       header('Content-Disposition: inline; filename=$f);
       
       $data="";
       while (!feof($d)) $data.=fread($d,12400);
       fclose($d);
       print $data;
    }
}
else
   header("Location: index.html");
?>

be careful :
- $PATH must be specified in this file
- check the file type
otherwise you can do something like :
<img src="images.php?f=/etc/password">

The better is to have an array which contains all of your pictures and then check into the array:

$PICTURE["img1.gif"] = true;
$PICTURE["img2.gif"] = true;
$PICTURE["img3.gif"] = true;

if ($PICTURE["$f"] == true)
   allow the display of the picture.
else
   looks like a hacker
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
PHPaulCommented:
That is indeed what I meant :-D

--paul
0
 
KarveRCommented:
I would suggest validation of REQUEST_URI as well, not a local request, don't serve it.
 
0
 
RenatoCotoAuthor Commented:
Hello to all,

and thanks for your comments.

I'm trying your suggestions, but I don't seem to be able to make <img src="images.php?f=pictures.gif"> instruction to display the image.

Here's the complete example code I'm using to test, all in the same http root directory.

test.htm page:
[it shows the same picture to test, the first normal call does shows it, but not the suggested call]


<html>
<body>

<img src="images/is.gif">
<br><br><br><br>
<img src="images.php?f=is.gif">
               
</body>
</html>

images.php page:
[just modified the $PATH to the images directory]

<?php
 $PATH = "/images";
 if (strstr($f, ".gif"))
 { $d = fopen("PATH/$f","r");
   if (!$d)
   {     // If file cannot be read or not available ...
      header("Location: index.htm");
   }
   else
   {    
      header('Content-Type: image/gif');
      header("Content-Length: ".filesize("$PATH/$f"));
      header('Content-Disposition: inline; filename=$f);
     
      $data="";
      while (!feof($d)) $data.=fread($d,12400);
      fclose($d);
      print $data;
   }
}
else
  header("Location: index.htm");
?>



I really thanks all your further help.

Renato Coto

0
 
PHPaulCommented:
This works for me:

images.php:
<?php
//images.php
$path = "images";

$fd = fopen ("$path/$imagename", "rb", 1);
$data = fread($fd, filesize("$path/$imagename"));
fclose ($fd);
print $data;
?>

index.html:
<html>
<body>
<img src="images/image.gif">
<br><br>
<img src="images.php?imagename=image.gif">
</body>
</html>

Hope this helps

--Paul
0
 
us111Commented:
my code was just an idea.
the same code without errors....

<?php
$PATH = ".";
if (strstr($f, ".gif"))
{ $d = fopen("$PATH/$f","r");
  if (!$d)
  {     // If file cannot be read or not available ...
     header("Location: index.htm");
  }
  else
  {    
     header ("Content-type: application/octet-stream");
     header("Content-Disposition: inline; filename=$PATH/$f");          
   
     readfile("$PATH/$f");
  }
}
else
 header("Location: index.htm");
?>
0
 
RenatoCotoAuthor Commented:
Ok, I tested both ways and I was able to make it to work with the following code.

--- Please, if you can add the KarveR suggest validation using REQUEST_URI to only serve local requests, or requests from an specific page ---

test.htm page:

<html>
<body>
<img src="images.php?imagename=one.gif">
<br><br>
<img src="images.php?imagename=two.gif">
<br><br>
<img src="images.php?imagename=three.gif">
</body>
</html>


images.php page:

<?php
  $path = "images";
 
  $PICTURE["one.gif"] = true;
  $PICTURE["two.gif"] = true;
  $PICTURE["three.gif"] = true;
 
  if ($PICTURE["$imagename"] == true){
 
    $fd = fopen ("$path/$imagename", "rb", 1);
    $data = fread($fd, filesize("$path/$imagename"));
    fclose ($fd);
    print $data;
  }
?>

RenatoCoto
0
 
PHPaulCommented:
I see that you have used my way...

Why do you want the request uri check??, it's allready _pretty_ safe as it is!
If you don't want anybody to be able to look in your images folder just insert a page index.php in that folder, with the following code in it:

<?php
  header("HTTP/1.0 404 Not Found");
?>

This will return a 'Page Not Found 404 error'. This way people will _NOT_ be able to see your images in any way, or ever find out the folder they are in.

The tips we gave will ensure that nobody will find out where your images are located!

Btw. Just curious, why do you want all this protection, anyone can just right-click on your images (in the lay-out of your pages) to save them to their hard-disk ;-)

I hope this is finally satisfying :-)

--Paul
0
 
RenatoCotoAuthor Commented:
The thing is Paul,
I run this online network that share some automatically generated images, each time there is a browser request.
And since they are the same for several sites, I don't want to reveal the real and only source of generation.

Otherwise, I'd have to implement the image creator engine on each site.

Now the, I need also the local only URI check to also protect the images being requested through the images.php from another location. You see, you can still link to this page and generate the images.

Thanks a lot for the code you provided, it's very useful and I'd like to finish this question by adding the URI check if you know how.

Cheers.

RenatoCoto
0
 
RenatoCotoAuthor Commented:
The thing is Paul,
I run this online network that share some automatically generated images, each time there is a browser request.
And since they are the same for several sites, I don't want to reveal the real and only source of generation.

Otherwise, I'd have to implement the image creator engine on each site.

Now the, I need also the local only URI check to also protect the images being requested through the images.php from another location. You see, you can still link to this page and generate the images.

Thanks a lot for the code you provided, it's very useful and I'd like to finish this question by adding the URI check if you know how.

Cheers.

RenatoCoto
0
 
RenatoCotoAuthor Commented:
Something I just found.

This code is working only with locally stored images.
In my case, if I need to read an image that is on a different server, accross the network, where the path is an internet path such as:  http://mydomain/images   then this script will fail.

Is there a way to do it?

thanks

RenatoCoto

PS. Sorry for the previous doble comment, I don't know what happend.
0
 
PHPaulCommented:
Nope, at least not like we showed you.
You can't read a file from another server, if this were possible, you could read the contents of a .php file :-) (the actual code)

And we don't want that, do we ;-)

--Paul
0
 
us111Commented:
use my last code posted and change the path by a URL
0
 
hagermanCommented:
The best way to do this is probably using an Apache .htaccess file. There is an article available at:

http://apache-server.com/tutorials/ATimage-theft.html
0
 
RenatoCotoAuthor Commented:
Yes us111,
you got the remote image path solved with your answer.

Thanks a lot for the code you provided, and I'd like to finish this question by adding the requesting URI check to verify it's an specific or local page calling the script and I'm sure you know how.

RenatoCoto
0
 
RenatoCotoAuthor Commented:
Yes us111,
you got the remote image path solved with your answer.

Thanks a lot for the code you provided, and I'd like to finish this question by adding the requesting URI check to verify it's an specific or local page calling the script and I'm sure you know how.

RenatoCoto
0
 
us111Commented:
$thisfile = $_SERVER["PHP_SELF"];

if (basename($_SERVER["REQUEST_URI"] == $thisfile)
{
ok
}

you can also test :
- $_SERVER["SERVER_NAME"]
- $_SERVER["HTTP_REFERER"]

<?phpinfo()?> if you want to see all server's variables.
0
 
RenatoCotoAuthor Commented:
here's the final code we all in this question were able to solve.
This example will help other to better undestand the issue.

Cheers
RenatoCoto

page.htm code:

<html>
<body>
<img src="images.php?imagename=one">
<br><br>
<img src="images.php?imagename=two">
</body>
</html>

images.php code:

<?php
  if ($_SERVER["HTTP_REFERER"] == "http://www.domain.com/page.htm"){
 
  $PATH = "http://www.domain.com/images";
 
  switch(@$imagename){
     case "one":
       $imagename = "imagetest1.png";
       break;
     case "two":
       $imagename = "imagetest2.png";
       break;
  }
 
  if (strstr($imagename, ".png")){
    $d = fopen("$PATH/$imagename","r");
      if (!$d){     // If file cannot be read or not available ...
        header("Location: index.htm");
      }
      else{    
        header ("Content-type: application/octet-stream");
        header("Content-Disposition: inline; filename=$PATH/$imagename");          
       
        readfile("$PATH/$imagename");
      }
  }
  else
    header("Location: index.htm");

  }
?>
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 5
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now