How to Prevent Direct Access to a php file that is generating Image

Question

I have a php file that is generqating Image and that is being included in the image tag like this:

<img src"generate_contact.php?memberid=3456">

Now if anyone will try to access this file directly, with a memberid query string, they an actually see the image file being generated.

How can i prevent direct access to "generate_contact.php" ?

Note: If i try to make a CONSTANT in the file in which this img tag is inserted, will generate_contact.php have access to that CONSTANT? asking because generate_contact.php is not being included.. it is being added as src in image tag only.

Regards

Answer 1

Instead of using an incremental member-id to access this image, why not using a unique hash?

In your members table, add a "hash" field, and add a random string inside this field for each member.

I'm used to generate 10 chars hash this way :

$hash = substr(str_shuffle(base_convert(str_shuffle(sha1(str_shuffle(md5(rand() . microtime())))), 16, 36)), 0, 10);

After that, use your hash to identify your member :

<img src = "generate_contact.php?memberhash=0qxv(...)"/>

In such a way, crawlers will not be able to increment the id and get associate contact of your whole members.

Answer 2

There's no way to prevent direct access to an image that you're wanting to display to the user. By having:

<img src = "generate_contact.php?memberid=3456">

You're already giving them direct access because the user's browser will actually make a GET request for the file once the page has loaded. Trying to prevent direct access to an image that you're wanting to display to the user goes against the fundamentals of the Internet, in which users request public documents.

Answer 3

The users browser making a request for image to be placed inside the page is a 'get' request, and is same as if you type the address directly. There is no way you can actually place an image on a page and then keep it unaccessible completely, unless ofcourse using flash

Answer 4

OK, take it back one step.

It's all about URLs. If you put a URL into an image element's src attribute, the image must be available at that URL:

<img src="/img/profile/42.jpg">

The browser will download the HTML document with this image element, then make another HTTP request , just like the first one, to that URL to also download the image.

You can put that URL directly into your browser's address bar for the same effect. There's certain content available at some URL. It does not matter how that URL is accessed. It is not "tied to an HTML document" or "secret" or "hidden" or anything like that because it's in an HTML document.

URLs are always public and accessed "directly", otherwise nobody could see their content.

So, either your URL generate_contact.php?memberid=3456 spits out an image or it doesn't. What it does behind the scenes is irrelevant.