Protect valuable images

Posted on 2007-04-09
Last Modified: 2008-06-08

I am working on a website where I need the images to be stored in a secured/password protected folder so as visitors cannot view/save the image by right click or directly entering the path of image in URL. The images should be only accessible through the applications search page. This website is built in php. I hope I am able to explain my problem. Eagerly waiting for the reply.

Question by:navtarainc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 15

Accepted Solution

Tomeeboy earned 125 total points
ID: 18876148
This shouldn't be too much of a problem.  You could use .htaccess, but I think a better solution would be to store these image files in a folder OUTSIDE of the home directory for your website.  This way, they cannot be accessed by Apache (so somebody cannot simply type the URL in and bring them up in a web browser), and can only be accessed by a PHP script that loads the images.

If you only want the images viewed through the applications search page, then that's the only place where you need to insert code that will display the images.  However, once an image is displayed to a user in a web browser, there's really no stopping them from copying it.  The best method there (if these are images that need protecting even after they are viewed with the search page) would be to put a watermark on them that cannot be easily removed.
LVL 15

Expert Comment

ID: 18876319
A quick example of displaying the image in PHP via your script.  For this example, let's say that you've stored your images in  /usr/home/navtarainc/ (a directory not accessible via the web).  Now, let's pull up test_image.jpg from that folder, using PHP:


$image_path = "/usr/home/navtarainc/";
$image_name = "test_image.jpg";

header("Content-type: image/jpeg");


If you're working with multiple types of images, you'll need to set the headers accordingly.  You can do something like this to determine the file type:


$ext = substr($image_name, -3);

switch ($ext) {
case "jpg":
     header("Content-type: image/jpeg");
case "gif":
     header("Content-type: image/jpeg");


You can add more extension to the switch statement if you need to (make sure to order the statement by whichever image types are going to be most common, so that it's as efficient as possible).  Hope that helps!
LVL 51

Assisted Solution

by:Steve Bink
Steve Bink earned 125 total points
ID: 18878218
SSL will most certainly do the trick for protecting the files.  Tomeeboy's strategy provides an additional layer of protection normally used for sensitive information, like db connection info.  If you go with an external dir, you may need to pay attention to your PHP's open_basedir and safe_mode settings.  Check here for more information:

Even so, once you display the picture, the user will still be able to right-click and save.  You can override that with some javascript, but that still depends on the user enabling it.  Microsoft did something similar with the Office Online clipart library.  Maybe you can get some ideas there:
LVL 15

Assisted Solution

samri earned 125 total points
ID: 18880902
hi navtarainc / all,

I would agree with above comments.  However, once the the image is displayed on user browser session, the image is practically exist somewhere on user machine (memory, or cache), and it would be possible for the user/client to copy that image.  

The javascript would disble the right-click button, but it would still be possible to do "File | Save as".

There is a classic "image-theft" protection - 

that would display the image, it it was linked by your own website.  Howeve, it would still be possible to "hack" the REFERER header (in HTTP request).

good luck.

LVL 27

Assisted Solution

Nopius earned 125 total points
ID: 18886373
navtarainc, hi.

1) What about "so as visitors cannot view/save the image by right click", this feature is usually done with a javascript:
You are not completely protected, since image is already in browser's cache (as and smart user still can 'save' such image. Here I agree with Tomboy, you may place a watermark with your website address on your images to provide some kind of protection.

2) What about 'or directly entering the path of image in URL. The images should be only accessible through the applications search page.', that's completely another case, that can be done  on a server side.
What I suggest is an 'image wrapper' - a PHP script that shows images. Scenario is the following: when submitting a 'search' your 'search.php' provides a session cookie to browser and stores this cookie in some database, call it 'session db'. Your image wrapper that should show an image, in html code looks like  '<img src=wrapper.php?id=lala>'. It should also check browser's cookie in your 'session db' if they match - it shows an image (it may map id=lala to some filename outside of www docroot, and it write it directly to stdout), after it (wrapper.php) resets this cookie and deletes it from 'session db' (so that user cannot see more files with the same search).
I guess you grasp an idea.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days socially coordinated efforts have turned into a critical requirement for enterprises.
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question