如何防止直接访问生成图像的php文件
[英]How to Prevent Direct Access to a php file that is generating Image
问题描述
I have a php file that is generqating Image and that is being included in the image tag like this: 
我有一个生成Image的php文件,它被包含在image标签中,如下所示:
<img src"generate_contact.php?memberid=3456">
Now if anyone will try to access this file directly, with a memberid query string, they an actually see the image file being generated. 现在,如果有人尝试使用Memberid查询字符串直接访问此文件,他们实际上将看到正在生成的图像文件。
How can i prevent direct access to "generate_contact.php" ? 如何防止直接访问 "generate_contact.php" ?
Note: If i try to make a CONSTANT in the file in which this img tag is inserted, will generate_contact.php have access to that CONSTANT? 注意:如果我尝试在插入此img标签的文件中制作一个常量,generate_contact.php是否可以访问该常量? asking because generate_contact.php is not being included.. it is being added as src in image tag only. 询问,因为不包含generate_contact.php。仅在图像标记中作为src添加。
Regards 问候
4 个解决方案
解决方案1
1 2012-11-10 08:43:33
Instead of using an incremental member-id to access this image, why not using a unique hash? 为什么不使用唯一的哈希而不是使用增量成员ID来访问此图像?
In your members table, add a "hash" field, and add a random string inside this field for each member. 在您的成员表中,添加一个“哈希”字段,并在该字段内为每个成员添加一个随机字符串。
I'm used to generate 10 chars hash this way : 我习惯以此方式生成10个字符的哈希值:
$hash = substr(str_shuffle(base_convert(str_shuffle(sha1(str_shuffle(md5(rand() . microtime())))), 16, 36)), 0, 10);
After that, use your hash to identify your member : 之后,使用您的哈希来标识您的成员:
<img src = "generate_contact.php?memberhash=0qxv(...)"/>
In such a way, crawlers will not be able to increment the id and get associate contact of your whole members. 这样,搜寻器将无法增加ID并获取整个成员的关联联系人。
解决方案2
0 2012-11-10 08:39:30
There's no way to prevent direct access to an image that you're wanting to display to the user. 无法阻止直接访问您要显示给用户的图像。 By having: 有了:
<img src = "generate_contact.php?memberid=3456">
You're already giving them direct access because the user's browser will actually make a GET request for the file once the page has loaded. 您已经为他们提供了直接访问权限,因为一旦页面加载,用户的浏览器实际上将对该文件发出GET请求。 Trying to prevent direct access to an image that you're wanting to display to the user goes against the fundamentals of the Internet, in which users request public documents. 试图阻止直接访问您要显示给用户的图像与Internet的基本要求背道而驰,在Internet中,用户要求公共文档。
解决方案3
0 2012-11-10 08:41:18
The users browser making a request for image to be placed inside the page is a 'get' request, and is same as if you type the address directly. 要求将图像放置在页面内的用户浏览器是一个“获取”请求,与您直接键入地址一样。 There is no way you can actually place an image on a page and then keep it unaccessible completely, unless ofcourse using flash 除非使用Flash,否则您实际上无法将图像放置在页面上,然后使其完全无法访问。
解决方案4
0 2012-11-10 08:42:25
OK, take it back one step. 好,再退一步。
It's all about URLs. 都是关于URL的。 If you put a URL into an image element's src attribute, the image must be available at that URL: 如果将URL放入图像元素的src属性中,则该图像必须在该URL上可用:
<img src="/img/profile/42.jpg">
The browser will download the HTML document with this image element, then make another HTTP request , just like the first one, to that URL to also download the image. 浏览器将下载带有该图像元素的HTML文档,然后向该URL发出另一个HTTP请求 (与第一个请求一样),以也下载该图像。
You can put that URL directly into your browser's address bar for the same effect. 您可以将该URL直接放入浏览器的地址栏中,以达到相同的效果。 There's certain content available at some URL. 某些URL上有某些可用内容。 It does not matter how that URL is accessed. 该URL的访问方式无关紧要。 It is not "tied to an HTML document" or "secret" or "hidden" or anything like that because it's in an HTML document. 它不是“绑定到HTML文档”,“秘密”或“隐藏”之类的,因为它在HTML文档中。
URLs are always public and accessed "directly", otherwise nobody could see their content. URL始终是公共的,并且可以“直接”访问,否则没有人可以看到其内容。
So, either your URL generate_contact.php?memberid=3456 spits out an image or it doesn't. 因此,您的URL generate_contact.php?memberid=3456吐出图片还是不会吐出图片。 What it does behind the scenes is irrelevant. 它在后台执行的操作无关紧要。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.