Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Protect valuable images

Posted on 2007-04-09
Medium Priority
Last Modified: 2008-06-08

I am working on a website where I need the images to be stored in a secured/password protected folder so as visitors cannot view/save the image by right click or directly entering the path of image in URL. The images should be only accessible through the applications search page. This website is built in php. I hope I am able to explain my problem. Eagerly waiting for the reply.

Question by:navtarainc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 15

Accepted Solution

Tomeeboy earned 500 total points
ID: 18876148
This shouldn't be too much of a problem.  You could use .htaccess, but I think a better solution would be to store these image files in a folder OUTSIDE of the home directory for your website.  This way, they cannot be accessed by Apache (so somebody cannot simply type the URL in and bring them up in a web browser), and can only be accessed by a PHP script that loads the images.

If you only want the images viewed through the applications search page, then that's the only place where you need to insert code that will display the images.  However, once an image is displayed to a user in a web browser, there's really no stopping them from copying it.  The best method there (if these are images that need protecting even after they are viewed with the search page) would be to put a watermark on them that cannot be easily removed.
LVL 15

Expert Comment

ID: 18876319
A quick example of displaying the image in PHP via your script.  For this example, let's say that you've stored your images in  /usr/home/navtarainc/ (a directory not accessible via the web).  Now, let's pull up test_image.jpg from that folder, using PHP:


$image_path = "/usr/home/navtarainc/";
$image_name = "test_image.jpg";

header("Content-type: image/jpeg");


If you're working with multiple types of images, you'll need to set the headers accordingly.  You can do something like this to determine the file type:


$ext = substr($image_name, -3);

switch ($ext) {
case "jpg":
     header("Content-type: image/jpeg");
case "gif":
     header("Content-type: image/jpeg");


You can add more extension to the switch statement if you need to (make sure to order the statement by whichever image types are going to be most common, so that it's as efficient as possible).  Hope that helps!
LVL 51

Assisted Solution

by:Steve Bink
Steve Bink earned 500 total points
ID: 18878218
SSL will most certainly do the trick for protecting the files.  Tomeeboy's strategy provides an additional layer of protection normally used for sensitive information, like db connection info.  If you go with an external dir, you may need to pay attention to your PHP's open_basedir and safe_mode settings.  Check here for more information:

Even so, once you display the picture, the user will still be able to right-click and save.  You can override that with some javascript, but that still depends on the user enabling it.  Microsoft did something similar with the Office Online clipart library.  Maybe you can get some ideas there:
LVL 15

Assisted Solution

samri earned 500 total points
ID: 18880902
hi navtarainc / all,

I would agree with above comments.  However, once the the image is displayed on user browser session, the image is practically exist somewhere on user machine (memory, or cache), and it would be possible for the user/client to copy that image.  

The javascript would disble the right-click button, but it would still be possible to do "File | Save as".

There is a classic "image-theft" protection - 

that would display the image, it it was linked by your own website.  Howeve, it would still be possible to "hack" the REFERER header (in HTTP request).

good luck.

LVL 27

Assisted Solution

Nopius earned 500 total points
ID: 18886373
navtarainc, hi.

1) What about "so as visitors cannot view/save the image by right click", this feature is usually done with a javascript:
You are not completely protected, since image is already in browser's cache (as and smart user still can 'save' such image. Here I agree with Tomboy, you may place a watermark with your website address on your images to provide some kind of protection.

2) What about 'or directly entering the path of image in URL. The images should be only accessible through the applications search page.', that's completely another case, that can be done  on a server side.
What I suggest is an 'image wrapper' - a PHP script that shows images. Scenario is the following: when submitting a 'search' your 'search.php' provides a session cookie to browser and stores this cookie in some database, call it 'session db'. Your image wrapper that should show an image, in html code looks like  '<img src=wrapper.php?id=lala>'. It should also check browser's cookie in your 'session db' if they match - it shows an image (it may map id=lala to some filename outside of www docroot, and it write it directly to stdout), after it (wrapper.php) resets this cookie and deletes it from 'session db' (so that user cannot see more files with the same search).
I guess you grasp an idea.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to dynamically set the form action using jQuery.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question