Reply to Re: Password protect jpgs?

Your name:

Reply:


Posted by ws Monkey on 05/27/06 04:06

Michael Vilain wrote:
> In article <e562u7$1sf$1@yggdrasil.glocalnet.net>,
> "Garry Jones" <garry.jones@morack.se> wrote:
>
>> I need to create a page with a password where I show photos. How do I stop
>> people from accessing the jpgs directly without going through the password
>> function.
>>
>> I am using Windows XP and have a website which supports Mysql and php.
>>
>> The end result should be a page where the user can type in a password and
>> access a few pages of thumbnails which can be clicked for enlargements.
>>
>> Garry Jones
>> Sweden
>
> You might be able to put the images in a directory not directly in the
> web server's document directory, then write a php page that, given the
> name of the file in either a GET or POST argument will open the image
> file, send the correct header, and display the image. Be sure to
> properly check for path injection and non-image filenames, so they can't
> display stuff they shouldn't be able to. Don't allow wildcards on
> filenames.
>
> Or stuff the image in a MySQL database BLOB and pull it out using a php
> page.
>
As a further idea, and one that I have used..

Don't use the full file name in the variables you pass, use an type
variable.

ex. get_image.php?img=monkeys&ext=1 (would pull monkeys.jpg)
get_image.php?img=monkeys&ext=2 (would pull monkeys.tif)
get_image.php?img=monkeys&ext=3 (would pull monkeys_thumb.jpg) -
you can use the ext to add whatever extension you want (and change them
later if you move files around.. ext=4 could prepend the monkeys part
with "/imagedir/", or whatever you want.

I did this on a page that pulled in multiple file types for templates.
It allowed me to force an extension on any user submitted data. This
was combined with filtering of the content for ANY '.' which is how most
injections worked. (Just don't use image names w/ periods in them).

After filtering the input, I check against a valid file type, default to
'1', and then do a @file_exists as the last sanity check.

-- Steve

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация