All geek questions in one place

Saving and reading images above public_html

I am trying to protect my upload of images to a PHP script, and the last hurdle I have to fulfill is that users cannot directly exclude images, but the server can still serve them on web pages. I tried to change ownership and folder permissions to no avail, so I am trying to save images above public_html and display them on pages that are stored in public_html.

My file structure:

 - userimages
   image.jpg
   image2.jpg

 - public_html
   filetoserveimage.html

I tried to link the image to the userimages folder as follows:

<img src="../userimages/image.jpg">

But that will not work. Is something missing here? If you have any suggestions, please let me know. I am trying to get public users to execute potentially dangerous files that they could download. As well as an additional safety measure. Thanks!

+3
source share
6 answers

You want something that is basically impossible.

The way the browser loads the page (in the main sense):

Step 1: Download the page. Step 2: analyze the page. Step 3. Download everything that is indicated in the content of the page (images, style sheets, javascripts, etc.).

Each Download event is atomic.

, , , .

PHP Jedi, PHP. HTTP_REFERER , "" .

PHP passthru script , .

, , - "hotlinking" - , . , , .

, , mod_rewrite .

hotlinking/anti-hotlinking

+4

script!

, public_html, php script. , image-relay.php, , html...

<?php
header('Content-Type: image/jpeg');
$_file = 'myimage.jpg'; // or $_GET['img']
echo file_get_contents('/myimages/'.$_file);
?>

$_file $_GET, absolutley ...

<img src="image-relay.php?img=flower.jpg"> flower.jpg, /myimage/flower.jpg...

+3

, - public_html.

+1

public_html , Apache , / dorectory.

, Apache, / public_html.

+1

, , <img>, - , -, src URL- .

, , .

, (php ) script, , IP-, , html- ( , , IP-) ( HTTP-, , ).

, ( <img>, ), public_html (php ) script, .

+1

If you use Apache or lighttpd, you can use the X-Sendfile header to send files that are not in the root directory of the website (provided that you have not changed the configuration of the mod_xsend file).

To learn more about the X-sendfile, see this site .

This solution gives you the best performance since PHP does not send the file, but the server does it, and therefore PHP can be deleted while the files are running.

Hope this helps.

+1
source

Source: https://habr.com/ru/post/1717530/

More articles:


All Articles