Home >Backend Development >PHP Tutorial >How to control user access to images in PHP? PHP prohibits image hotlinking, _PHP tutorial
Set the images directory to disallow http access (change the image directory: read, directory browsing Two permissions are removed).
Use a PHP file and directly use the file function to read the image. Perform permission control in this PHP file.
In the apache environment, just add the following file to your image directory.
File name .htaccess
The content of the file is as follows
Copy code The code is as follows:
# options the .htaccess files in directories can override.
# Edit apache/conf/httpd.conf to AllowOverride in .htaccess
# AllowOverride AuthConfig
# Stop the directory list from being shown
Options -Indexes
# Controls who can get stuff from this server.
Order Deny,Allow
Deny from all
Allow from localhost
Other web environments such as iss and nginx are similar.
class imgdata{ public $imgsrc; public $imgdata; public $imgform; public function getdir($source){ $this->imgsrc = $source; } public function img2data(){ $this->_imgfrom($this->imgsrc); return $this->imgdata=fread(fopen($this->imgsrc,'rb'),filesize($this->imgsrc)); } public function data2img(){ header(“content-type:$this->imgform”); echo $this->imgdata; //echo $this->imgform; //imagecreatefromstring($this->imgdata); } public function _imgfrom($imgsrc){ $info=getimagesize($imgsrc); //var_dump($info); return $this->imgform = $info['mime']; } } $n = new imgdata; $n -> getdir(“1.jpg”); //图片路径,一般存储在数据库里,用户无法获取真实路径,可根据图片ID来获取 $n -> img2data(); $n -> data2img();
This code reads the image and then outputs it directly to the browser. Before reading and outputting, the user permissions are judged.
When PHP reads images here, it does not refer to the reading path, but to reading the content of the image, and then through
Header(); Input the image type, such as gif png jpg, etc. The content of the image is output below, so fread()
is used
In fact, when you see image.php?id=100, this image is displayed on the browser, and when you view the source file, you will not see the path to the image, but the garbled image content.
===========================================
Similar to the encrypted photo album of QQ space, it can only be accessed by entering a password, and the photo address in the encrypted photo album directly entered into the browser cannot be accessed. My current idea is that the address of the image is a php file, and the permissions are verified through php, the image is read, and output. I wonder if there is a simpler and more efficient way besides this method? For example, generate a temporary browsing address and use some anti-hotlink plug-ins of nginx?
You can use ngx_http_auth_basic_module to accomplish this.
Modify configuration file
Copy code The code is as follows:
location / {
root /usr/local/nginx/html;
auth_basic “Auth”;
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
index index.php index.htm;
}
auth_basic Auth in "Auth" is the title of the pop-up box (enter username and password)
/usr/local/nginx/conf/htpasswd in auth_basic_user_file /usr/local/nginx/conf/htpasswd; is the file that saves the password
PHP prohibits image hotlinking
1. Assume that the host domain name allowed to link to the image is: www.test.com
2. Modify httpd.conf
Copy code The code is as follows:
SetEnvIfNoCase Referer “^http://www.test.com/” local_ref=1
ed6494781dcd7e11185aed5408221d21
Order Allow,Deny
Allow from env=local_ref
d4f50085796fcbc8b99545763f01d848
This simple application can not only solve the problem of hotlinking of pictures, but with slight modifications can also prevent the problem of hotlinking of any files.
When using the above method to link images from a non-specified host, the image will not be displayed. If you want to display a "hot link prohibited" image, we can use mod_rewrite to achieve this.
First, when installing apache, add the –enable-rewrite parameter to load the mod_rewrite module.
Assuming that the "No Hotlinking" image is abc.gif, we can configure it in httpd.conf like this:
Copy code The code is as follows:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?test.com /.*$ [NC]
RewriteRule .(gif|jpg)$ http://www.test.com/abc.gif [R,L]
When the host's image is stolen, you will only see the "abc.gif" picture that says "hotlinking is prohibited"!