Solved

Protect valuable images

Posted on 2007-04-09
7
259 Views
Last Modified: 2008-06-08
Hi,

I am working on a website where I need the images to be stored in a secured/password protected folder so as visitors cannot view/save the image by right click or directly entering the path of image in URL. The images should be only accessible through the applications search page. This website is built in php. I hope I am able to explain my problem. Eagerly waiting for the reply.

Harsh
0
Comment
Question by:navtarainc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 15

Accepted Solution

by:
Tomeeboy earned 125 total points
ID: 18876148
This shouldn't be too much of a problem.  You could use .htaccess, but I think a better solution would be to store these image files in a folder OUTSIDE of the home directory for your website.  This way, they cannot be accessed by Apache (so somebody cannot simply type the URL in and bring them up in a web browser), and can only be accessed by a PHP script that loads the images.

If you only want the images viewed through the applications search page, then that's the only place where you need to insert code that will display the images.  However, once an image is displayed to a user in a web browser, there's really no stopping them from copying it.  The best method there (if these are images that need protecting even after they are viewed with the search page) would be to put a watermark on them that cannot be easily removed.
0
 
LVL 15

Expert Comment

by:Tomeeboy
ID: 18876319
A quick example of displaying the image in PHP via your script.  For this example, let's say that you've stored your images in  /usr/home/navtarainc/ (a directory not accessible via the web).  Now, let's pull up test_image.jpg from that folder, using PHP:

<?php

$image_path = "/usr/home/navtarainc/";
$image_name = "test_image.jpg";

header("Content-type: image/jpeg");
readfile("$image_path.$image_name");

?>

If you're working with multiple types of images, you'll need to set the headers accordingly.  You can do something like this to determine the file type:

<?php

$ext = substr($image_name, -3);

switch ($ext) {
case "jpg":
     header("Content-type: image/jpeg");
     break;
case "gif":
     header("Content-type: image/jpeg");
     break;
}

?>

You can add more extension to the switch statement if you need to (make sure to order the statement by whichever image types are going to be most common, so that it's as efficient as possible).  Hope that helps!
0
 
LVL 50

Assisted Solution

by:Steve Bink
Steve Bink earned 125 total points
ID: 18878218
SSL will most certainly do the trick for protecting the files.  Tomeeboy's strategy provides an additional layer of protection normally used for sensitive information, like db connection info.  If you go with an external dir, you may need to pay attention to your PHP's open_basedir and safe_mode settings.  Check here for more information:

http://www.php.net/manual/en/features.safe-mode.php

Even so, once you display the picture, the user will still be able to right-click and save.  You can override that with some javascript, but that still depends on the user enabling it.  Microsoft did something similar with the Office Online clipart library.  Maybe you can get some ideas there:

http://office.microsoft.com/en-us/clipart/default.aspx
0
 
LVL 15

Assisted Solution

by:samri
samri earned 125 total points
ID: 18880902
hi navtarainc / all,

I would agree with above comments.  However, once the the image is displayed on user browser session, the image is practically exist somewhere on user machine (memory, or cache), and it would be possible for the user/client to copy that image.  

The javascript would disble the right-click button, but it would still be possible to do "File | Save as".

There is a classic "image-theft" protection - http://httpd.apache.org/docs/1.3/misc/FAQ.html#image-theft 

that would display the image, it it was linked by your own website.  Howeve, it would still be possible to "hack" the REFERER header (in HTTP request).

good luck.

cheers.
0
 
LVL 27

Assisted Solution

by:Nopius
Nopius earned 125 total points
ID: 18886373
navtarainc, hi.

1) What about "so as visitors cannot view/save the image by right click", this feature is usually done with a javascript: http://javascript.internet.com/page-details/disable-images-click.html
You are not completely protected, since image is already in browser's cache (as and smart user still can 'save' such image. Here I agree with Tomboy, you may place a watermark with your website address on your images to provide some kind of protection.

2) What about 'or directly entering the path of image in URL. The images should be only accessible through the applications search page.', that's completely another case, that can be done  on a server side.
What I suggest is an 'image wrapper' - a PHP script that shows images. Scenario is the following: when submitting a 'search' your 'search.php' provides a session cookie to browser and stores this cookie in some database, call it 'session db'. Your image wrapper that should show an image, in html code looks like  '<img src=wrapper.php?id=lala>'. It should also check browser's cookie in your 'session db' if they match - it shows an image (it may map id=lala to some filename outside of www docroot, and it write it directly to stdout), after it (wrapper.php) resets this cookie and deletes it from 'session db' (so that user cannot see more files with the same search).
I guess you grasp an idea.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CSS Style on Chrome 1 40
PHP Web Development 6 30
Can't "Unset" Proxy in Apache headers for PCI compliance... 4 45
Using URL without web site 2 15
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question