?
Solved

.htaccess to rewrite to new file name, but don't allow DIRECT access to file

Posted on 2007-07-22
20
Medium Priority
?
277 Views
Last Modified: 2013-12-25
I have this as my htaccess

RewriteEngine on
RewriteRule ^view.php$ myView.jpg

So when I link from my own server like..
<img src="view.php">

It shows the image.. but if someone goes to the address bar and types http://myserver.com/view.php 
I dont want them to see the image. I only want them to see it if it was called from within one of my files, not directly.

Can anyone help??
0
Comment
Question by:MattKenefick
  • 9
  • 6
  • 3
  • +2
20 Comments
 
LVL 35

Expert Comment

by:Terry Woods
ID: 19544007
What's the reason for preventing access using the direct URL?
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 19544013
Because I dont want people to know the file location.

I have the re-write on so that pepole think     BOB.JPG is the link, but it actually goes to .. X.jpg you know?

But if they went to BOB.JPG directly, it would show X.JPG anyway.. I don't want that. I only want it to show the real one if its coming from inside my server instead of directly.
0
 
LVL 35

Expert Comment

by:Terry Woods
ID: 19544041
I suppose one option would be to set a timestamp in a cookie from pages containing the code:
<img src="view.php">
and check that the cookie is very recent from within view.php (otherwise don't display the image).

This might fail however if the page was too slow to load. Also, if someone has cookie's turned off, the image won't be viewable.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
LVL 4

Author Comment

by:MattKenefick
ID: 19544109
no.
I'm looking for apache rewrite style stuff.

i'm experimenting with .htaccess and .htpasswd right now
0
 
LVL 35

Expert Comment

by:Terry Woods
ID: 19544120
Ok - I don't think I can help then. Hopefully someone else will be able to... good luck!
0
 
LVL 10

Expert Comment

by:ray-solomon
ID: 19544157
Here is a way this could be achieved.

Create a php file called view.php with this code in it:
<?php
$picture = 'someimage.gif';
header('Content-Type: image/gif');
readfile($picture);
?>

Then, open your htaccess file and insert this code into it:
<Files someimage.gif>
order allow,deny
deny from all
</Files>


Then use an image tag in some html page:
<img src="view.php">



Now, the image will show in the html page, but you will not be able to access the someimage.gif directly.
Hope that helps.
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 19544170
RewriteEngine on
RewriteRule ^view.php$ myView.jpg

So when I link from my own server like..
<img src="view.php">

----------------------------------

The thing actually does this:

view.php loads myView.php.. myView.php then loads the JPG data and calls itself a JPG so it basically is a jpg.

I can't restrict access to myView.php otherwise it wont work.
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 19544177
your method worked otherwise.. if there was a better way that'd be good (cause i want to pull the data from a database, not a file)
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 19544179
and I also still want this to work.

I dont want them to directly be able to access the PHP file that is src="x.php"
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 19544189
this is actually becoming very urgent =[ sorry to rush you
0
 
LVL 13

Expert Comment

by:MasonWolf
ID: 19544607
Here - this is a piece of cake:

<?php
if($_SERVER['REMOTE_ADDR'] == $_SERVER['SERVER_ADDR'])
{
     $picture = 'someimage.gif';
     header('Content-Type: image/gif');
     readfile($picture);
}
?>

ray-solomon gave you most of the answer, but I'd be happy to get credit for the assist.

:)
0
 
LVL 13

Expert Comment

by:MasonWolf
ID: 19544662
By the way, you'll need to create another file, like "view1.php"

<?php
echo file_get_contents("http://www,domain.com/folder/view.php");
?>

Someone linking to "view1.php" directly will see only a bunch of gobbledy-gook that they cannot save. But using it as your image source it'll look just fine.
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 19544776
It's obviously not a piece of cake because that doesn't work and I can't quite see why it WOULD work.

If a variable is equal to itself??? No. it doesn't work.
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 19544781
Nevermind that last comment. I didn't read it through. Plus I've been drinking whiskey.
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 19544793
Still doesn't work though. I don't know why you'd compare those two variables.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 19545299
> I only want it to show the real one if its coming from inside my server instead of directly.
what exactly does this mean?
 1) do you mean that only files on your own server but not a browser may use this file
 2) or do you mean that only browsers on your server are allowed to see the file
 3) or do you mean that onls browsers may use the file if it is referenced within a page from your site

for 1) simply don't publish the file
for 2) don't publish on the public server or use an IP-based access restriction
for 3) you have to ensure that ever link to you file contains a unique ID, then you can deliver the file using a wrapper as already suggested

> I dont want them to directly be able to access the PHP file that is src="x.php"
same as above: don't publish the file
0
 
LVL 13

Expert Comment

by:MasonWolf
ID: 19546919
Hm,

Ok, I'm a little confused. I tested it before I submitted my answer, so I don't know why it didn't work for you. What I saw was the image I wanted when I placed it in an html document with "<img src='view1.php'>", but when I right-clicked to "View Image" I saw a whole lot of junk and unprintable characters that my browser couldn't understand. I tried to save the image in the format I knew to be correct, and my picture viewing program was unable to make sense of the encoding. That was in FF.

In IE, I just tested and discovered that when I right-clicked to "Save Picture As..." it told me it couldn't understand the encoding. But when I navigated directly to view1.php I was able to save it.

So you're right, my solution didn't work. I had only tested in FF so I thought it did. I'm sorry. I'm going to keep playing with this.
0
 
LVL 13

Accepted Solution

by:
MasonWolf earned 2000 total points
ID: 19547195
Here's another idea. Since all you want is to make sure they can't see the source of the image, this ought to be sufficient.

call the image as: <img src="view.php?t=<?=time();?>">

then, in view.php:
<?php
if($_GET['t'] >= time()-1 && $_GET['t'] < time()+1)
{
     $picture = 'someimage.jpg';
     header('Content-Type: image/jpg');
     readfile($picture);
}
?>

What this will do is ensure that only a link from a server using your exact same server time will work - and that the link it creates won't continue working for more than 1 second. So basically, the valid link is constantly changing, and only your server (we assume, at least) is going to be able to keep up with it.

If you're extremely paranoid about someone researching your server's clock and working out an emulator for it, you might want to take the extra step of using cryptography. But if you're willing to settle for "almost certainly enough to stop 99.9% of outside linking" then this should suffice.
0
 
LVL 13

Expert Comment

by:MasonWolf
ID: 19553796
Did you try my last suggestion?
0
 
LVL 13

Expert Comment

by:MasonWolf
ID: 19829580
Did you ever figure out a solution to this? I thought mine was pretty good, but if you found something better, please post it here for the rest of us to see.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.
Suggested Courses
Course of the Month16 days, 1 hour left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question