Protect valuable images

Posted on 2007-04-09
Last Modified: 2008-06-08

I am working on a website where I need the images to be stored in a secured/password protected folder so as visitors cannot view/save the image by right click or directly entering the path of image in URL. The images should be only accessible through the applications search page. This website is built in php. I hope I am able to explain my problem. Eagerly waiting for the reply.

Question by:navtarainc
LVL 15

Accepted Solution

Tomeeboy earned 125 total points
ID: 18876148
This shouldn't be too much of a problem.  You could use .htaccess, but I think a better solution would be to store these image files in a folder OUTSIDE of the home directory for your website.  This way, they cannot be accessed by Apache (so somebody cannot simply type the URL in and bring them up in a web browser), and can only be accessed by a PHP script that loads the images.

If you only want the images viewed through the applications search page, then that's the only place where you need to insert code that will display the images.  However, once an image is displayed to a user in a web browser, there's really no stopping them from copying it.  The best method there (if these are images that need protecting even after they are viewed with the search page) would be to put a watermark on them that cannot be easily removed.
LVL 15

Expert Comment

ID: 18876319
A quick example of displaying the image in PHP via your script.  For this example, let's say that you've stored your images in  /usr/home/navtarainc/ (a directory not accessible via the web).  Now, let's pull up test_image.jpg from that folder, using PHP:


$image_path = "/usr/home/navtarainc/";
$image_name = "test_image.jpg";

header("Content-type: image/jpeg");


If you're working with multiple types of images, you'll need to set the headers accordingly.  You can do something like this to determine the file type:


$ext = substr($image_name, -3);

switch ($ext) {
case "jpg":
     header("Content-type: image/jpeg");
case "gif":
     header("Content-type: image/jpeg");


You can add more extension to the switch statement if you need to (make sure to order the statement by whichever image types are going to be most common, so that it's as efficient as possible).  Hope that helps!
LVL 50

Assisted Solution

by:Steve Bink
Steve Bink earned 125 total points
ID: 18878218
SSL will most certainly do the trick for protecting the files.  Tomeeboy's strategy provides an additional layer of protection normally used for sensitive information, like db connection info.  If you go with an external dir, you may need to pay attention to your PHP's open_basedir and safe_mode settings.  Check here for more information:

Even so, once you display the picture, the user will still be able to right-click and save.  You can override that with some javascript, but that still depends on the user enabling it.  Microsoft did something similar with the Office Online clipart library.  Maybe you can get some ideas there:
LVL 15

Assisted Solution

samri earned 125 total points
ID: 18880902
hi navtarainc / all,

I would agree with above comments.  However, once the the image is displayed on user browser session, the image is practically exist somewhere on user machine (memory, or cache), and it would be possible for the user/client to copy that image.  

The javascript would disble the right-click button, but it would still be possible to do "File | Save as".

There is a classic "image-theft" protection - 

that would display the image, it it was linked by your own website.  Howeve, it would still be possible to "hack" the REFERER header (in HTTP request).

good luck.

LVL 27

Assisted Solution

Nopius earned 125 total points
ID: 18886373
navtarainc, hi.

1) What about "so as visitors cannot view/save the image by right click", this feature is usually done with a javascript:
You are not completely protected, since image is already in browser's cache (as and smart user still can 'save' such image. Here I agree with Tomboy, you may place a watermark with your website address on your images to provide some kind of protection.

2) What about 'or directly entering the path of image in URL. The images should be only accessible through the applications search page.', that's completely another case, that can be done  on a server side.
What I suggest is an 'image wrapper' - a PHP script that shows images. Scenario is the following: when submitting a 'search' your 'search.php' provides a session cookie to browser and stores this cookie in some database, call it 'session db'. Your image wrapper that should show an image, in html code looks like  '<img src=wrapper.php?id=lala>'. It should also check browser's cookie in your 'session db' if they match - it shows an image (it may map id=lala to some filename outside of www docroot, and it write it directly to stdout), after it (wrapper.php) resets this cookie and deletes it from 'session db' (so that user cannot see more files with the same search).
I guess you grasp an idea.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question