@import "http://lib.zetabin.com/jQuery/facebox/facebox.css";
|
image.php
|
|
Topic Started: Oct 9 2008, 05:22 AM (113 Views)
|
|
bustya
|
Oct 9 2008, 05:22 AM
Post #1
|
|
The Master Bitchslapper
- Posts:
- 135
- Group:
- Admins
- Member
- #2
- Joined:
- Mar 20, 2008
|
A note about using this. You wouldn't want to use this script for ALL of your images, if you did it WOULD slow page load times down, but this script is excellent to use for user submitted images. For one, it'll hide your user-submitted image directory (which is writable and thereby vulnerable to malicious users) and two, this will also prevent a user from being able to execute a PHP file that they uploaded via your image upload since the header is forced to be an image.
This script also emails you when someone tries to hotlink your pics.
- Code: HTML
-
<?php /* // ---------------- CONFIGURABLE SECTION -----------------
// Where did you actually put your images? // Make sure that the path you put below ends with // a directory slash ("/"). The script below assumes it. $imagedir = "/usr/home/username/public_html/actual_directory_here/" ;
// What are the websites (hostnames) that can use this // image? // If your site can be accessed with or without the // "www" prefix, make sure you put both here. Do not put // any trailing slashes ("/") nor any "http://" prefixes. // Follow the example below. $validprefixes = array ( "mysite.com", "www.mysite.com" ) ;
// What is the main page of your website? Visitors will // be directed here if they type // "http://www.example.com/image.php" // in their browser. $homepage = "http://www.mysite.com/" ;
// What is your email address? // If you want to be informed when someone tries to use // this script to access an image illegitimately, you
$email = "myemail@host.com" ;
// ------------ END OF CONFIGURABLE SECTION ------------
// --- YOU NEED NOT MODIFY ANYTHING AFTER THIS LINE ---
function isreferrerokay ( $referrer, $validprefixes ) { $validreferrer = 0 ; $authreferrer = current( $validprefixes ); while ($authreferrer) { if (eregi( "^https?://$authreferrer/", $referrer )) { $validreferrer = 1 ; break ; } $authreferrer = next( $validprefixes ); } return $validreferrer ; }
//----------------------- main program -----------------------
$img = $_GET['img'] ; $referrer = getenv( "HTTP_REFERER" );
if (isset($_GET['img'])) {
if (empty($referrer) || isreferrerokay( $referrer, $validprefixes )) {
$imagepath = $imagedir . $img ;
$imageinfo = getimagesize( $imagepath ); if ($imageinfo[2] == 1) { $imagetype = "gif" ; } elseif ($imageinfo[2] == 2) { $imagetype = "jpeg" ; } elseif ($imageinfo[2] == 3) { $imagetype = "png" ; } else { header( "HTTP/1.0 404 Not Found" ); exit ; }
header( "Content-type: image/$imagetype" ); @readfile( $imagepath );
} else {
if (isset($email)) { mail( $email, "Bandwidth Theft Alert", "WARNING:\n\n$referrer\ntried to access\n$img\n", "From: My Site <$email>" ); } header( "HTTP/1.0 404 Not Found" ); } } else { header( "Location: $homepage" ); }
?>
|
|
|
| |
|
bustya
|
Oct 9 2008, 05:29 AM
Post #2
|
|
The Master Bitchslapper
- Posts:
- 135
- Group:
- Admins
- Member
- #2
- Joined:
- Mar 20, 2008
|
This is one more step for securing the user-submitted image directory...
Write this to a file and name it .htaccess, then upload it to the directory that the images are being written to (BTW, you don't want to put your image.php file in the same directory as your user-submitted images).
- Code: HTML
-
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
This will stop the listed file extensions from being executed from your user-submitted image directory.
|
|
|
| |
| 1 user reading this topic (1 Guest and 0 Anonymous)
|