A Pointless Security Precaution?

Web hosting discussion, programming, and shared and dedicated servers.
10 posts Page 1 of 1
by ben1960 » Tue Jan 24, 2017 11:21 am
I have written a PHP script that obscures the URL of the directory that my JPG files are stored in. What do I have to gain by doing this? Visitors can still right-click on images to save a copy. I also have .htaccess configured to prevent hot-liking of JPG files. Is this PHP script of any real value?

The name of the PHP file is images.php.

Code: Select all

<?php
    $path = "path/to/images/directory/";
    $regex = "/^[0-9]{1,2}$/";
    $id = $_GET['id'];

    if(preg_match($regex, $id))
        $id = $path . $id . ".jpg";
    else
        exit;

    header('Content-type: image/jpeg');
    
    readfile($id);
    exit;
?>
The following HTML is in a separate file.

Code: Select all

<img src="images.php?id=1" />
by ben1960 » Tue Jan 24, 2017 1:56 pm
I have put images.php in its own directory. This directory uses .htaccess to only allow PHP files to be accessed by my own domain and by blank referrers. Will there be any problems if I ban blank referrers from this directory?
by drew.phillips » Thu Jan 26, 2017 9:03 am
I would agree that it might be a pointless security precaution. It hides the original image location and just serves it through another location. You could take it a step further and store the images below your web root so they're not directly accessible from the internet.

The .htacccess hotlinking protection is good by preventing people from linking to your images on another site, but bandwidth is cheap these days. People don't do that too often and will just download it instead and host it elsewhere.

If you're going to show them the image on the screen (whether directly or served by a script), they can still take a copy one way or another.

In my opinion, it might be more trouble than it's worth. I'd say it does less for security, and more for organization and keeping your URL's simple (image.php?id=1, id=2, id=3 etc instead of /images/blue_mountain_sunset.jpg).

You might need/want to add referer checking to that PHP script so you can deny access to the image if accessed from the script without a referrer or some other information.
Drew Phillips
Programmer / System Operations, Sonic.net
by ben1960 » Fri Jan 27, 2017 3:35 pm
I moved my jpg files to the location suggested by Drew Phillips. Thank you Drew.

I am currently limiting access to this script to my own domain and to blank referrers. There is disagreement about whether or not blank referrers should be allowed to access jpg fillies. What are the pros and cons of banning blank referrers?
by drew.phillips » Fri Jan 27, 2017 4:20 pm
Not sure about pros and cons specifically, but consider that:
  • * referrers are not sent when going from an https site to http; viewing images on your site should always have you set to the referrer
    * some people may use plugins to strip the referrer (their loss?)
    * bots scraping may or may not spoof the referrer correctly for what they're trying to do
For 99% of people visiting your site it's probably fine. Someone who really wants to take all your images for whatever reason may end up having to spend a few minutes figuring out they need to spoof the referer in their script, or just right-click save til they have everything. But either way, they'll find a way to do it.
Drew Phillips
Programmer / System Operations, Sonic.net
by ben1960 » Mon Jan 30, 2017 6:37 am
I found some JavaScript code that blocks right-clicks on images. This will make my images a little bit harder to steal.

Here is the URL for that code:

http://www.dynamicdrive.com/dynamicindex9/noright2.htm
by ben1960 » Tue Jan 31, 2017 3:19 pm
I now have .htaccess configured to only allow my own domain to access my images.php file and my primary jpg directory.

Some experts think it is a good idea to allow search engines to access one's image files. I don't want Google Images to scrape my 525px * 350px jpg files. However, I would like to encourage Google Images to scrape my 200px * 133px thumbnails directory.

How do I encourage bots to visit certain directories?
by drew.phillips » Tue Jan 31, 2017 3:33 pm
There's really no way I'm aware of in 2017 to encourage a bot to visit a specific location. Once Google is aware of your homepage, they'll crawl to other pages from there and periodically come back to check for updates.

So the only way to "encourage" them to view specific pages/directories/areas would be to have several pages of links pointing to those areas, and update the content periodically so they'll see the change and be more likely to crawl additional pages for updates.
Drew Phillips
Programmer / System Operations, Sonic.net
by virtualmike » Tue Jan 31, 2017 10:28 pm
ben1960 wrote:I found some JavaScript code that blocks right-clicks on images.
I have a setting in Firefox that ignores attempts by Javascript to block right-clicks. :mrgreen:
by ben1960 » Thu Feb 02, 2017 4:49 pm
virtualmike wrote:I have a setting in Firefox that ignores attempts by Javascript to block right-clicks. :mrgreen:
I figured that this would be the case.
10 posts Page 1 of 1

Who is online

In total there are 20 users online :: 0 registered, 0 hidden and 20 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 20 guests