• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 459
  • Last Modified:

This is really tricky!!! Give me your lights!

We have develop a web site http://www.kefalonia-photos.com/

People can buy, shell photos .

I have put lots of effort and lots of script to prevent  image toolbar , disable right click etc etc.

my only problem is that if someone right click on a photo (http://www.kefalonia-photos.com/default.asp)
from properties he gets image page   (e.g. http://www.kefalonia-photos.com/images/RIVER_small.jpg)

so if he play a little bit , at the end he will have this http://www.kefalonia-photos.com/images/RIVER.jpg

if you paste that http://www.kefalonia-photos.com/images/RIVER.jpg on IE it gives you the whole picture!!!!!!

so much effort for nothing!

Anyone has any ideas how i can prevent that ?

maybe with file permissions for folder images ???

pls tell me your opinion! Any different ideas will be more than welcome ...

If possible , i don't want this question to be listed on a public area
thanks in advance

  • 2
  • 2
  • 2
  • +2
3 Solutions
First of all, this is a public forum.

Secondly, you said you disabled right-clicking so how can users get the path by right-clicking?  

Thirdly, the only website I've seen that kept me from being able to get an image did a combination of things.  First of all, disable right-clicking.  Second, put the site in a frameset (with the top frame being just a pixel in height so it doesn't really take up space and appears invisible) so if they try to save the whole site, it just saves the top frame and not the one with the images.  This also keeps them from viewing the source of the page.
msolomosAuthor Commented:
oh thanks !

maybe i said it right ...

if they save the page .... they get the thumbs ...
playing a little bit ...trying some adress will get to /images
retype my questions

can i prevent directly access to folder /images   and its contents ?


If you want to secure your images don't rely on the browser to do it for you.  Most browsers can disable javascript altogether and some browsers (like Mozilla Firefox) can disble javascript which disables/changes the context menu.  Any html/javascript craftiness will only prevent uninformed people from stealing your images.

The solution to this problem is to use server side scripting to do the following:
- check a user's session variables to make sure they are authenticated
- lookup the image they are trying to view and see if they've purchased it.
- if the have then display the image.
- if they haven't, then watermark the image so that people can see what it looks like but can't actually use it (like with "www.kefalonia-photos.com" written across the image diagonally in big red semi-transparent letters) and display the watermarked image.

You'll need to do the following:
- move your images to a place that is not accessible to the internet so people can't reverse engineer the location and access it with a browser
- create a server side script in your favorite language (asp?) that returns the images after determining if the user has purchased the image and watermarked it if appropriate.
- change your <img> tags to point to the new script like this: <img src="image.asp?imageid=XXXXX">

Doing just a bit of googling I found this activex component which allows you to add text to images using asp:

Using that component, the image.asp I mentioned above would look something like this:
<!-- #include file="authenticat.asp" --> <!-- Im not gonna try and figure out how you authenticate -->
<script language=vbscript runat=server>
  Function GetImage()
    Dim img, path

    ' the GetImageFile function should return the path and filename
    ' of the image specified by imageid
    path = GetImageFile(Request.Querystring("imageid"))

    set img = Server.CreateObject("GflAx.GflAx")
    img.LoadBitmap path

    If Not (IsAuthenticated AND UserOwns(Request.Querystring("imageid"))) Then
      ' watermark image

      img.FontName = "arial"
      img.FontSize = 13
      img.TextOut "www.kefalonia-photos.com", 5, 5, RGB(255, 0, 0)
    end if

    img.Saveformat = 3 ' JPEG

    Response.ContentType = "image/jpeg"
    Response.BinaryWrite img.SendBinary
  End Function
<% GetImage %>

Of course there is a lot of work that you'll have to do, such as authenticating users and verifying that they've purchased the image.  Also, you may want to look into other asp objects... I'm sure there is one out there that lets you have rotated text so it displays over the entire image...

Good luck!
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

disabling right clicking do not stop anyone to access the source or anything on a page . You can achieve the same from the tool menu item of your browser.

The problem is that you store the images with the syntax small_<name of the image>.

-You could store the image on a private forlder and access them with a script after payement on your secure site.
-You could send the image by email after payement and not store the images at all on your web site.
-You could you use a database and provide a url to get the picture after payement
-You could generate an error 404 if someone access the url as http://www.kefalonia-photos.com/images/RIVER.jpg and redirect the url to your payrmrnt page.....

 enough for today


To keep your images safe from people try to access it from the browser, you can store all your images outside the webroot directory. Once your images is outside the root directory people will not be able to access it or download it, as http://www.kefalonia-photos.com/ will only point to the root and nothing above it. In order to access it, you will need to run some server-side script, ASP or PHP.

I've got an example code here for PHP, if you are using it.

create a file called "download.php" with the following code in it.

      $dir = "../images/"; //the directory is outside the web root folder, not accessible through web browsers
      if (file_exists($file))
         header("Content-type: application/force-download");
         header("Content-Transfer-Encoding: Binary");
         header("Content-length: ".filesize($file));
         header("Content-disposition: attachment; filename=".basename($file). "");
         echo "image does not exist";

on your download image link, you should have a path like this: http://www.kefalonia-photos.com/download.php?file=image_1.jpg
msolomosAuthor Commented:
guys i think you got in all wrong.
All the above answers is things that i already have done! (user authentication, server side scripting, database driven, watermark, disable right click)

I am repeating my question again .
If someone from this link http://www.kefalonia-photos.com/type.asp?iType=78
save as web page

it saves all the photos to computer .

looking at photos he will get something    photo_small.jpg

so if he plays a little bit with Url of site etc etc he will go to www.kefalonia-photos.com/images/photo.jpg    (directly and get the whole photo intact!

My question is : Is there any way you can prevent the access to http://www.kefalonia-photos.com/images/file.jpg   DIRECTLY ???

if this is done , then i am 100% accurate that no one can take the photos. But i need to prevent this

As I said in my previous post, if you keep your image files outside your webroot (that is outside http://www.kefalonia-photos.com), the user will not be able to access it. Therefore it's protected from downloading the image by entering the direct URL. There is no way to access the image file, if you keep it outside the root directory using a web browser, you can access it with other apps, like FTP, but with browser, i doubt it.

The thing is that you need to use some server-side language. If you not using a server-side language like PHP, then please ignore this post, thanks :)
This product works with IIS to prevent direct linking to images.  $29.95.  http://www.dashtech.com/products/imgblock/

This ASP code will automatically redirect to another image if the request doesn't come from your website.  http://www.aspfaq.com/show.asp?id=2276

Some other miscellaneous ways of protecting your images.  Notice this site points out that there is no way to 100% protect your images but you can do things to make it more difficult.  http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=41
I'm not sure you understand the suggestion thats been given to you by three different people: myself, perezjos, and minichicken.  That suggestion is that you store the images on the webserver in a place that they aren't accessible to the web.  For example: if you are using ASP on IIS your web root is probably somwhere like c:\Inetpub\wwwroot.  Your default.asp file would be in that directory... it would effectively be the root of your web site.  Now, if you place your photos OUTSIDE that directy... like in c:\Inetpub\ProtectedImages, they wouldn't be available to the internet, but your server side scripts could still access them.  By creating a server side script that knows when a user is logged in and if he has purchased an image you can control when your users see those images if at all.

I realize that your question is simply "Is there any way you can prevent the access to http://www.kefalonia-photos.com/images/file.jpg   DIRECTLY", and while you can disable the read permissions of that folder in IIS I have to wonder what good it would do you.  If you really just wanted to prevent access to those files and you have no need for them to ever be displayed on your site then why have them on there at all.

You cannot prevent people from viewing your images without controlling who sees them using a server side script if you ever want to display them online.  I surmize that you do need to display them on your site at some point, and to that end my first comment describes one way you can do that while controlling who sees the image and even providing a way to give a watermarked preview of the image to those who aren't supposed to see the image.  minichicken's comment provides a similar PHP example and his is better if you want to provide an Image download link, although I believe that the rest of your site is in ASP so my example may be easier to understand.
Hello, still looking ?ok

iADODB.Recordset error '800a0bcd'

Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.

/inc_type.asp, line 192

this is from you web site. So you or your provider, freedom 2 design, are using IIS and a database. But YOUR IMAGES ARE STORED IN A DIRECTORY called images and  is part of you web structure. It' looks like you are storing only a pointer to the image on the db. Have  you designed that web ? If yes you should understand what we try to explain or you get payed every time we click on one of your links (;-)). Just kidding right ?
Please please , move the files OUTSIDE your web structure and let your script load and send it in binary mode to the client.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now