how to prevent image.php link open in direct url access in CodeIgniter

Question

I have started building an Image base website in codeigniter. The main catch is to protect Image from direct url access or any type of download. What i did is made a .htaccess and put in Image folder to prevent direct access of Image. And create a class call Img and a function jpg to call for the image. where i check the session to prevent Image HotLinks. But now the Problem is if I click on img src(http://localhost/myproject/Img/jpg/abc.jpg) then image gets open. How to prevent it.

My .htaccess

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com [NC] 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com.*$ [NC] 
RewriteRule \.(gif|jpg)$ - [F]

Please Help. Thanks In advance.

Answer 1

I mean to say is any solution to protect up to maximum level. There must be solution I hope

So, make the server load the files by reference after you validate a session or something. Also define a constant to the private directory (in this example, I used '/home/web/site' in the 'FILES' constant) where the images will be stored.

Just a sample using php-gd:

image.php

<?php
defined('FILES') OR define('FILES', '/home/web/site/');
if($_GET['img']){
    $filename = FILES.$_GET['img'];
    if(file_exists($filename)){
        $file_info = getimagesize($filename);
        foreach ($file_info as $i => $v){
            if($v == 'image/png'){
                $mime = $v;
                $img = imagecreatefrompng($filename);
            }
            elseif($v == 'image/jpg'){
                $mime = $v;
                $img = imagecreatefromjpg($filename);
            }
        }
        header("Content-type: " . $mime);
        imagepng($img);
        imagedestroy($im);
    }
    else{
        echo 'Image not found!';
    }
}
else{
    echo 'Image not defined!';
}

The algorithm above is pretty simple: you just need to pass the complete filename (like 'some.jpg') to validate the access. Of course, you can create better validation methods.

You can also do the same thing with videos. Worth to learn something like VideoStream.php:

stream.php

<?php
include 'VideoStream.php';
defined('FILES') OR define('FILES', '/home/web/site/');
$video = new VideoStream(FILES.'videoname.mp4');
$video->start();

Here you can also define the appropriate permissions, and he loads the content to the browser.

Answer 2

It currently redirects to the imagae when it is not from your domain. Change it to

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com.*$ [NC] 
RewriteRule ^.*\.(gif|jpg)$ http://www.example.com [F]

The first condition is unnecessary as it is included in the second one. But since I'm assuming you are not providing direct links on your site, I'm not sure the second one is needed either. Your script will be reading from the file system and not making a http request.

But people can still take screenshots etc.

Answer 3

The main catch is to protect Image from direct url access or any type of download.

Don't put it on the internet then.

There is absolutely nothing you can do to truly prevent this, if you also want your images accessible on your site.