How to secure images (PHP)

Question

I develop a web site, but I have a problem in images,

for more explain : I insert the pictures in a folder and call them with the URL

for example the folder name is : images

And I insert a picture with name : test.jpg

So, the problem is if someone know the name of picture, he can be seen it, www.testest.com/images/test.jpg, but I need to block the pictures

If someone has other solution, Do not spare me the solution, because I want to give some privacy to the user

So, what the perfect solution to destroy this problem, I try a lot to found and fix it but without any result.

Any help please ?

Are you expecting these to be accessible by anyone? Is it enough just to obscure the URI? — Jonnix, Nov 22 '16 at 13:55
This kinda depends on how you want to access these images normally yourself, in your website. So how are you using these images — RiggsFolly, Nov 22 '16 at 13:59
You sould disable hotlinking via an htaccess file. There is an answer for that. Or you could serve your images via a php file (maybe?) — Andreas, Nov 22 '16 at 14:11
There's an answer here : http://stackoverflow.com/questions/10236717/htaccess-how-to-prevent-a-file-from-direct-url-access — Masivuye Cokile, Nov 22 '16 at 14:13

score 2 · Answer 1 · answered Nov 22 '16 at 14:10

2

Without knowing the full details of how you're actually using these images:

Store the images outside of the root directory, in a folder that is not web accessible.
Create a script to fetch the images (ie, images.php?id=123). This will present the same problem you currently face, if someone knows the ID, so moving on...
Implement whatever logic you need to prevent these images from being loaded by unwanted sources, for example if the user is not logged in or it's being requested by an external website / leached.

You can't really get more secure than that, outside of not having any images at all.

answered Nov 22 '16 at 14:10

mister martin

6,197
4
30
63

1

If `images.php` checks that the connection is logged in using Session etc this would be even more secure, but would not stop a logged in user from looking around to see what they could find – RiggsFolly Nov 22 '16 at 14:12
1

@RiggsFolly the images could be restricted to that particular user / session. without more details, we can only guess what logic is actually needed. – mister martin Nov 22 '16 at 14:21
Yup I realise this is a bit of a guessing game based on the info provided. I was just trying to add a little to your answer which was what I was going to write – RiggsFolly Nov 22 '16 at 14:23
@mistermartin I think is like facebook ? because it use a file named `images.php?id=123` but if I make pictures in a file is not web accessible he can't make problems ? – saadsaad Nov 22 '16 at 18:06
@saadsaad see [this answer](http://stackoverflow.com/questions/1851849/output-an-image-in-php) – mister martin Nov 22 '16 at 18:12

paolobasso · Answer 2 · 2016-11-22T14:16:39.260

0

1- Prevent hotlink with htaccess:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ www.testest.com/images/ [NC,R,L]

2- Disable right-click for all the <img>:

JQUERY:

$('img').bind('contextmenu', function(e) {
    return false;
});

CSS:

img{
  -webkit-user-select: none;  /* Chrome all / Safari all */
  -moz-user-select: none;     /* Firefox all */
  -ms-user-select: none;      /* IE 10+ */
  -o-user-select: none;
  user-select: none;
}

edited Nov 22 '16 at 14:16

answered Nov 22 '16 at 14:01

paolobasso

2,008
12
25

if i disable javacsript on my browser i can still right click :) – Masivuye Cokile Nov 22 '16 at 14:08
Yes but with htacces you can prevent hotlink – paolobasso Nov 22 '16 at 14:08
1

I don't think disabling hotlinking is what the OP is after – Jeff Lambert Nov 22 '16 at 14:10
check the answer here : http://stackoverflow.com/questions/10236717/htaccess-how-to-prevent-a-file-from-direct-url-access – Masivuye Cokile Nov 22 '16 at 14:14

How to secure images (PHP)

2 Answers2