Private folder in PHP?

Question

My website deals with images. Whenever a user uploads an image it will be stored in "imagefiles" folder, but the problem is users can see all the images of that folder on web through http. To prevent it I made changes to .htaccess of the folder to be forbidden, but by doing that I am unable to read the images to show it on webpage myself.

So how can I make this folder such that only I can use to read it and when users try to access it through http it should say forbidden?

Answer 1

Or you can use mod_rewrite to disable access to directory listing as:

RewriteEngine On
RewriteBase /

RewriteRule ^imagefiles/?$ - [F,L,NC]

Answer 2

Probably the most flexible way to do what you want is to get the folder with images out of reach of webserver. Then show them on your page via readfile() (as Paulpro mentioned). There is nice example of how to do that in php manual: http://www.php.net/manual/en/function.readfile.php Using this way you will be able very easily control users access to images on your website.

Answer 3

You could disable the index for that folder, by creating a dummy index.html page, or disabling the default index in your .htaccess with:

<Directory /path/to/image/folder>
    Options -Indexes
</Directory>

That will stop people from browsing a directory listing of all images, but not stop them from accessing images directly.

If you want more fine control you should Rewrite all requests to that folder to a PHP script which will check the $_REQUEST['REQUEST_URI'] to determine what image they were trying to load, then if they are allowed to view it by whatever logic you choose, you send out the appropriate headers for the type of image it is, and readfile('/path/to/image');