In our sites we are doing a image protection section. So as a part of image protection we need provide antihotlinking for images.In our site we are showing the image using a generated url.
For example in our site the image source is like: image_file.php?type=image&w=10&h=10&i=12
(this only a fake url for example purpose).
So using this url we need to show image in our site and at the same time want to prevent it from hot linking is there any way for prevent hotlinking?
If you can utilize the .htaccess method then great, additionally, as I said in my comment, a 100% fool proof way is to utilize base64 encoding. When you are displaying images, you can use this code to convert them to base64:
<?php
$imagedata = file_get_contents("/path/to/image.png");
$base64 = base64_encode($imagedata);
?>
<img src="data:image/jpeg;base64,<?= $base64; ?>" />
Also, if you want to get really creative, you can "RAT" the hotlink "thieves" out by displaying an alternative image using your .htaccess file... do this like so:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|png)$ http://www.mydomain.com/dontstealmystuff.png [R,L]
just make sure dontstealmystuff.png is available on the server
basic .htaccess example
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
above allows a blank REFERER (like me).
this does not:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
there are quite a few variations you can find, may need to play around a bit to find what is best for you.
Image hotlinking is usually detected by referer, but it won't work when:
You'll block your actual users from viewing images.
Consider using sessions / cookies when dealing with this problem. You'll have to pass every image via php script then.
Generally speaking the proper way to do this is in something like an .htaccess file with a command such as:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?somesite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://i.imgur.com/aNbhd.jpg [L]
However to do this in PHP it's basically the same. All you do is verify that $_SERVER['HTTP_REFERER'] starts with the URL for the page. However it's possible to spoof the HTTP_REFERER so it's not going to be 100%. However the user has to do this (an external site pretty (mostly...) much can't spoof this), so it will prevent other sites from embeding your images without placing your site in an iframe or some other hoopla.
Another way, and probably the safest though it's going to be the hardest on the server, is to use the $_SESSION variable to pass a token/flag around, then check the token.
session_start();
$_SESSION["allow_images"] = true;
Then on the PHP page that gets the image for them:
if($_SESSION["allow_images"])
{
//Send some pics!
}
However this only works if the user hasn't been to your site recently enough to not have their own session still active.
You can try checking the value of $_SERVER['HTTP_REFERER'] against a known value, but as the documentation states, that can be spoofed. It might help against the common case, though.
in image_file.php use http_referer for this.
$ref = isset($_SERVER['HTTP_REFERER'])? $_SERVER['HTTP_REFERER']: "";
if ($ref != "" && strpos($ref,'http://www.yourdomain.com/')===0)
{
//the request for this image is coming from some other domain, so take appropriate action
}
else
{
//do whatever logic you are currently using to show the images
}
Find a full-blown solution here: http://safalra.com/programming/php/prevent-hotlinking/
