Posted by Sig on 12/31/07 05:36

On Thu, 20 Dec 2007 12:28:31 +0000 Toby A Inkster said
> jw88574@hooya.com wrote:
>
> > To put it another way, is there a method to allow an HTML script in the
> > document root to see and image (or file or whatever) and still prevent
> > access to that resource?
>
> Firstly, HTML is not a script.
>
> Secondly you're answer is no. Any image that can be seen using <img> can
> be seen by accessing the image's URL directly. Using the HTTP "Referer"
> header, you might be able to kludge together a solution, but it will be
> unreliable and can be easily worked around.
>
>

That's not always correct. The image need not be under the document root to be
displayed with readfile(). I have some images that are displayed with
<img src="/pv/incer3.php?z=blackler/1.jpg">, for example. The incer3 file
checks a session variable, and may decide to show the image using readfile().
If you enter the src url directly, whether you see the image will depend on the
session variables. There is no actual image url to enter.

--
Sig
http://koiclubsandiego.org/comment/?r=8

[Back to original message]