I'm developing a web application and I need to save and show images and pdf documents.
I wanted to deny direct access to the images and documents and to its container file. I mean, that when someone try to acess via url to the folder, should receive a 403-forbidden error.
For this I created a .htaccess file inside the folder like this:
Order deny,allow
Deny from all
Using my web application, via a php script, there is no problem accessing the pdf docments like this
header('content-type: application/pdf');
readfile('../../../files/'.$document);
But when I try to access the images using <img style=max-width:100% src=../files/'.$image.'>' my access is denied and I receive a http status code 403 forbidden.
How can I access the images using my web application, but denying the direct access to the images?
Also I would like to know why I can access the pdf documents, but I can't access the images.
I would use a handler for either of these file types.
Place the files outside of the web accessible file system. i.e. If your web root is /var/www/html then create /var/www/files/ directory and store all your files in there.
$file_id = intval($_REQUEST['file_id']);
$sql = sprintf("SELECT * FROM files WHERE file_id=%d",$file_id);
$query = $mysqli->query($sql);
$file = $result->fetch_assoc()
// add business logic for
// if $user_id is allowed to view $file_id
if (preg_match("/\.pdf$/i",$file['filename'])){
header('content-type: application/pdf');
} else if (preg_match("/\.(jpg|gif|png)$/i",$file['filename'])){
header('content-type: application/pdf');
} else {
die("Unknown file type");
}
$full_path = sprintf("/var/www/files/%s",$file['filename']);
readfile($full_path);
This would allow you to use your application logic to determine which files should be accessed by a user, record the access and keep them out of the web accessible directory.
So instead of using something like this
<img style=max-width:100% src=../files/'.$image.'>'
I would suggest using a syntax similar to this for handling images
<img style=max-width:100% src=/handler.php?file_id='.$file_id.'>'
and a link like this for downloading PDFs
<img style=max-width:100% src=/handler.php?file_id='.$file_id.'>'
It should be pretty straight forward assuming your have a database of PDFs and images. Something simple like this.
CREATE TABLE `files` (
`file_id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`file_name` varchar(255) NOT NULL DEFAULT '',
PRIMARY KEY (`file_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Try with below rule,
Order deny,allow
Deny from all
allow from 127.0.0.1
It will allow from your local server address on which your web app is hosted.
Edit:
Options -Indexes
Use above to turn off directory listing too, it will give forbidden error.