.htaccess DENY FROM ALL帮助？

Question

I have a photo sharing website that the user can edit their picture privacy. One major concerns is that other users can see the pictures from the user that have been concidered hidden. So I though in my IMAGES directory, just put deny from all in a .htaccess file.

But that restricted all images from being displayed to.

What's the best way to do this?

Thanks
Coulton

Answer 1

You could use mod rewrite and a dispatcher that retrieves the file of the url. The dispatcher would also check credentials.

Example: user accesses http://mysite.com/getimage/123

Configure mod rewrite to transform this into http://mysite.com/index.php?page=getimage&att=123 . Because of rewrite, no user will ever access anything else beside the index.php page unless you configure the rewrite module to do this.

index.php is the dispatcher and checks if the page really exists. If it does, it calls the controller that handles getimage. The controller getimage checks user credentials and if the user can get the file 123, it displays 123.jpg.

This is just one variant of multiple solutions. It all depends on your site architecture.

Answer 2

On webservers that only allow you to put all files below the document root and not outside of it for situations like this, a .htaccess file with a deny from all directive is often used to not allow http access to a special directory and it's subdirectories.

Doing some kind of obfuscation (directory names created with the help of MD5 or SHA1 etc. functions) is not recommended.

Deliver your images with the help of a PHP function that can do all the necessary permission checks you need in your case. One easy example how to actually return the file is found here:

Return the contents of an image in php file?