If u know absolute path, u can get a file

[helpme]

well, version 1.6 works like a dream, however, if people knows the absolute path to your images or files, they still can download, view it even tho u set the permission for the categories if private or registered or watever  

Is there a way to prevent this

[helpme]

am I right or wat, u can test on ur own 4images site anyways

[Alan @ ArtScans]

Hi,

Unfortunatly, this isn't just a 4images problem.  The nature of web servers mean that you can get any publicly accessable file in the web server directory tree.

The only way (that I can think of) to work around this, would be to store the images in a BLOB column in the database, instead of files.

If security / permissions are of a prime concern to your site, then you'd better start editing the php

Good luck,
Alan.

[helpme]

well, i've seen scripts, program that prevent people from geting files on ur server directly, unfortunately i can't afford to buy the software so i'm looking for a free scripts that let me do this

any1 got any idea where i could get these kind of script?

[Alan @ ArtScans]

Hi,

To the best of my knowledge, you cannot do this with 4images, as it requires the media directories to be world read/writable.  If a visitor goes directly to the URL, it bypasses 4images, and gets the web server listing for that directory, so you would need to read up on your web servers docs (but again, that will probably stop 4images being able to read/write images).

The only way that I can think of doing it, is to store the images in the database.  Ask in the Mods forum, and maybe someone will write it for you (but it would be a fairly big job).

Unless of course, Jan plans to put such a feature in the next version?

Thanks,
Alan.

[Chris]

If your web server is running Apache, you can use .htaccess to prevent people from loading images in their browser by entering the full URL in the address bar.

For an explanation of what the .htaccess file is all about and how to use it, read the article here:  http://www.javascriptkit.com/howto/htaccess10.shtml

This part of the article talks about hot linking but it will serve your purpose.

Code: [Select]

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?YourWebSite.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]

That code will instruct the Apache web server to return a "403 - Forbidden, access denied" error page back to the user should they try to access the image file directly.

HERE'S THE CATCH:

The user can always dig through their browser's cache and locate the file given to them by details.php.  They might also use a web site copier tool, or......  there are several other ways of getting the image.  So basically, the .htaccess approach will only work if you had a download image different from than the one served up by details.php

My two cents:  I'm not at all in favor of storing the images in the database itself.  It would introduce performance issues.

[helpme]

thanks for all the help guys, really appreciate it

well, what i've already done is, i put the .htaccess file inside the data directory so no one can hot linking to my stuff from my site

But to prevent people from downloading certain files at ur site ( i only want server people from a specific group to download), if they guess tha path right, they still can get the file....urm...