Restricting access to files

Posted on 2003-02-23
Medium Priority
Last Modified: 2008-03-17
How can I get the name of the page that requested a image or script file? I want to provide files only to certain pages. For example, in my page 'http://server/path/page1001.php' I have the code:

<script language="JavaScript" src="http://server/path/scripts.php?id=2"></script>

<img src="http://server/path/images.php?id=4">

I want that only the page with the url 'http://server/path/page1001.php' to display my files ('scripts.php?id=2' and 'images.php?id=4').
How can I do that? Is there a way? It has to be one!
Question by:ingerul
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

UnifiedMedia earned 136 total points
ID: 8006050
I'm assuming you're worried about people stealing your images and scripts.  One way to ensure that the people were coming from the spage you specify is to use Session variables set in the page.

For example, in page http://server/path/page1001.php, place the following code:


$_SESSION["script"] = 2;
$_SESSION["image"] = 4;


Then, in http://server/path/scripts.php put:


$id = $_SESSION["script"];


And in http://server/path/images.php to stop someone from being able to link/go directly to http://server/path/images.php?id=2 and seeing the picture, use the following code:  


$id = $_SESSION["image"];


To further protect the picture in images.php, you can use the "readfile" command to send the image itself - rather than returning a path which could be seen - back to browser.


if ($id == 1) {
} elseif ($id == 2) {
} else {



Expert Comment

ID: 8007196
not posible...
atleast in ths manner....

Assisted Solution

spere earned 132 total points
ID: 8007583
There are two methods that I can think of, one if which is the session method mentioned by UnifiedMedia,
The other is ..

if ($_SERVER["HTTP_REFERER"] != "http://server/path/page1001.php") {
   header("http-status: 404"); // or however that goes
  // print ERROR_404 here

.. of course its not hard to fake those headers .. but they have to know what they're looking for first. thus the 404 to confuse them. But you can use whatever header you want..


Assisted Solution

techtonik earned 132 total points
ID: 11925272
Some browsers do not set HTTP_REFERER due to security reasons, so this method is not reliable. In the case with session - it should prevent external linking, but for somebody, who'd like to steal images - that would not be a big problem.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days socially coordinated efforts have turned into a critical requirement for enterprises.
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question