Hey, guys. I'm building a website that has multiple galleries. Some of the galleries are only accessible to people having a certain access level. This is good for protecting scripts, but not the images. In other words, if someone knows the full path to the image, they can link to it directly, bypassing the PHP authorization. My solution is to use an .htaccess file in the directory holding images to prevent direct access to the image files. The rules set up in the .htaccess file only allow access if the referer is my own domain. No matter how I tweak the .htaccess file, it always blocks access to the images from the PHP scripts (DWDT scripts) which are of course coming from my domain.
I'm having no luck jiggering the .htaccess file, so I'm wondering if anyone else has encountered this problem or has an alternative solution?
In the meantime, here's my solution. When uploading an image, I create a nested directory with the year/month/day of the upload if it doesn't already exist. This is where the images and the thumbnail folder associated with those images reside. Through the website, an image is accessed via its unique ID in the database, and then the script determines whether the user may access the file. The file name is stored in the database, and it is a 16 character random alphanumeric string that is generated during upload.
An outsider could still open the image directly, but to do that they would have to know the date of the upload, the file extension, and the 16 character generated file name.
I'd still like to be able to use a more solid solution, so if you have any suggestions...