PHP response-header tricks

Question

index.php:

<style type="text/css">
img {
width: 50px;
}
</style>

<iframe name="myPHPScript" src="header.php" width="50%" 
frameborder="0"> 
</iframe>

<iframe name="myPHPScript" src="header.php" width="50%" 
frameborder="0"> 
</iframe>

<iframe name="myPHPScript" src="header1.php" width="50%" 
frameborder="0"> 
</iframe>

header.php:

<?php header("Content-type: image/png");
$img1 = file_get_contents ("3.png");
echo $img1;
?>

header1.php:

<?php header("Content-type: image/png");
$img2 = file_get_contents ("test1.jpg");
echo $img2;
?>

By this method I can call multiple images, but this is not what I expect, I would like to get the same result with only 1 php file.

Barmar · Accepted Answer · 2018-11-01T01:30:42.733

0

You could use a URL parameter.

<iframe name="myPHPScript" src="header.php?id=0" width="50%" 
frameborder="0"> 
</iframe>

<iframe name="myPHPScript" src="header.php?id=0" width="50%" 
frameborder="0"> 
</iframe>

<iframe name="myPHPScript" src="header.php?id=1" width="50%" 
frameborder="0"> 
</iframe>

The PHP script uses $_GET['id'] to determine which image file to return.

<?php 
header("Content-type: image/png");
$images = ["3.png", "test1.jpg"];
if (isset($images[$_GET['id']])) {
    readfile($images[$_GET['id']]);
}
?>

An alternative to this would be to have PHP return a single image that contains all your images concatenated, and use CSS sprites to show different parts of it.

edited Nov 01 '18 at 01:30

answered Nov 01 '18 at 01:22

Barmar

741,623
53
500
612

Not that this "protects" images in any way… – deceze Nov 01 '18 at 01:23
He's edited all that stuff out of the question, so it's not really relevant any more. – Barmar Nov 01 '18 at 01:25
Thank you for sharing the knowledge! – Lima Nov 01 '18 at 01:26
Unfortunately true. I'll let my rant stand anyway, as it addresses the actual intent behind the question… – deceze Nov 01 '18 at 01:27
You can't protect the image once it's sent, but you can protect it via login, because the user of the site is logged in they can see the image, if someone hot links to `yoursite.com/header.php` from an external source, you can prevent that image from displaying though the link if they are not logged in. I did just such a thing for a mail order bride site about 6 years ago, sure someone can download the image an share it but they can't link from your site that way (because they wouldn't have a session). – ArtisticPhoenix Nov 01 '18 at 01:33
Obviously once you send the content, it's sent. As the browser alone will likely cache it, but there are some edge cases where a site owner may not want direct links to images on their site to be displayed for all the world to see. For that site I actually kept all the images in a user specific zip and then streamed them right from the zip file, which was kind of neat, and if someone linked the image they got an add for the site instead ... lol – ArtisticPhoenix Nov 01 '18 at 01:37
Agreeing with @ArtisticPhoenix. *Preventing hotlinking* or only divulging images to *authenticated users* is entirely legitimate. But trying to "hide the URL" (as the original question was asking for) is nonsense. – deceze Nov 01 '18 at 01:39
Right, it's "security through obscurity", generally considered the least effective method. – Barmar Nov 01 '18 at 01:39
@ArtisticPhoenix this is valid for me, I can try something like this later. – Lima Nov 01 '18 at 01:40
@Barmar Thanks again for your reply, using css sprite is also a valid alternative, I still need to learn about this, thanks for the recommendation (link) – Lima Nov 01 '18 at 08:22

score 0 · Answer 2 · answered Nov 01 '18 at 01:23

0

There is no "trick". You cannot "prevent users from getting images".

Every server-side resource, that means images, HTML pages, stylesheets, everything, needs to have a URL by which they can be downloaded. The browser makes a request to download a URL, receives the response to that request, and then treats it accordingly as an HTML page, image, or whatever else.

You cannot have one URL return two different things. I mean, you can, your server could randomly return different content each time the URL is being accessed. But that's pretty nonsensical. If you want your visitors to see your image, you will need to give them one unique URL where they can do so. If you don't want your visitors to see your image, don't put it online.

If you do let your visitors see your image, that means they need to download it to their computer. They need a URL for that. Your visitors don't care at all whether that URL ends in .php or .jpg. All they know is that a request to that URL will return that image. Your "trick" doesn't do anything. You still end up with a URL from which an image can be downloaded.

Once the image is downloaded and the visitor can see it, it's on their computer. You can't prevent user's from getting the image yet also see the image. What you want is nonsense.

_{(This answer may seem somewhat rambling, but addresses the original revision of the question.)}

answered Nov 01 '18 at 01:23

deceze

510,633
85
743
889

Thanks for the answer. Well, I really need to show the image to the user, and the browser will download the image, I understand it. But to understand the real intent of my question, you will need to think a bit out of the box.. – Lima Nov 01 '18 at 02:25
Let's assume that the user or bot, will try to download our image manually to your computer, without authorization: In this particular case, I want the user to get the following output: "header.php" And to have the file, not only the extension, but the file name needs to be renamed. The advanced user will be able to download and get this file anyway, but the same does not apply to the common user's or bot's. – Lima Nov 01 '18 at 02:25
Well then… *rename your files*. The names of the files, i.e. their URL, is pretty irrelevant. What's the point of hiding *the name*? There is none. You cannot "make unauthorised users/bots see a different URL". That's pointless. The client (proper users, unauthorised users and bots alike) must somehow know **the URL** of the image. They typically get that from an ``. Then they make a request to that URL to get the image. It makes sense for your server to refuse to return the image for unauthorised users (if you can distinguish that). It makes no sense to "change or hide the name". – deceze Nov 01 '18 at 02:33
With all due respect, I think you first need to understand the box before trying to think outside it. – deceze Nov 01 '18 at 02:34
[link](https://stackoverflow.com/questions/ask/advice?) "Keep an open mind" – Lima Nov 01 '18 at 02:58
You did right in questioning the real intent. I'm surprised that you might have considered my comment "thinking out of the box" for the personal side. So sorry, the purpose of the comment was just to supplement the explanation. – Lima Nov 01 '18 at 02:58
Not sure where we stand with regards to that phrase right now, I think we're both talking past each other to some degree. ‍♂️ Anyway, hope you got my point that *what I think you're trying to do* doesn't really work. Hope you figure out the right solution for you. Cheers. – deceze Nov 01 '18 at 03:11

ArtisticPhoenix · Answer 3 · 2018-11-01T01:54:25.317

Another way to show multiple images with one call is to instead of returning a single image return the HTML that contains the multiple images. For example you would call your php file and return this:

  <img src="data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg=="/>
  <img src="data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg=="/>
  <img src="data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg=="/>
  <img src="data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg=="/>

Where instead of links you put the image data directly in the SRC as base64 encoded data.

As others noted though, it won't prevent someone from copying the image.

A great example why is even using ctrl+prtsc. Even if we ignore things like the browser cache etc.. One could just screenshot the image.

As I mentioned in the comments, you can prevent the PHP file from returning the image if someone is (say) not logged in. This would prevent direct links back to your website. Which in some cases has valid reasons, the example I used was a Mail order bride site. Some profile images were publicly visible other were not (not without an account). This wasn't more of an "Adult" content issue in this case and so there was a legal responsibility to not show some of the images to the general public or have them linked back to the site directly.

But again this doesn't prevent someone from copying the image and sharing it publicly.

PHP response-header tricks

3 Answers3