Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Restricting access to files

Posted on 2003-02-23
Medium Priority
Last Modified: 2008-03-17
How can I get the name of the page that requested a image or script file? I want to provide files only to certain pages. For example, in my page 'http://server/path/page1001.php' I have the code:

<script language="JavaScript" src="http://server/path/scripts.php?id=2"></script>

<img src="http://server/path/images.php?id=4">

I want that only the page with the url 'http://server/path/page1001.php' to display my files ('scripts.php?id=2' and 'images.php?id=4').
How can I do that? Is there a way? It has to be one!
Question by:ingerul

Accepted Solution

UnifiedMedia earned 136 total points
ID: 8006050
I'm assuming you're worried about people stealing your images and scripts.  One way to ensure that the people were coming from the spage you specify is to use Session variables set in the page.

For example, in page http://server/path/page1001.php, place the following code:


$_SESSION["script"] = 2;
$_SESSION["image"] = 4;


Then, in http://server/path/scripts.php put:


$id = $_SESSION["script"];


And in http://server/path/images.php to stop someone from being able to link/go directly to http://server/path/images.php?id=2 and seeing the picture, use the following code:  


$id = $_SESSION["image"];


To further protect the picture in images.php, you can use the "readfile" command to send the image itself - rather than returning a path which could be seen - back to browser.


if ($id == 1) {
} elseif ($id == 2) {
} else {



Expert Comment

ID: 8007196
not posible...
atleast in ths manner....

Assisted Solution

spere earned 132 total points
ID: 8007583
There are two methods that I can think of, one if which is the session method mentioned by UnifiedMedia,
The other is ..

if ($_SERVER["HTTP_REFERER"] != "http://server/path/page1001.php") {
   header("http-status: 404"); // or however that goes
  // print ERROR_404 here

.. of course its not hard to fake those headers .. but they have to know what they're looking for first. thus the 404 to confuse them. But you can use whatever header you want..


Assisted Solution

techtonik earned 132 total points
ID: 11925272
Some browsers do not set HTTP_REFERER due to security reasons, so this method is not reliable. In the case with session - it should prevent external linking, but for somebody, who'd like to steal images - that would not be a big problem.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question