Echo/print a jpg-image with php, for safety?

Question

Because of safety (check if user are logged in), I call a php-document when showing images.

...

...&l         


        

Answer 1

First of all, instead of reading the file with file_get_contents and, only then, echoing its content, you can use readfile : it will do both operations in one call -- which will probably be fastest and use less memory than :

• load the full file in memory with file_get_only
• and, only then, send that content to the outout

Then, if you only want identified to have access to the images, you don't have much of a choice : if you indentification mecanism is based on PHP, you'll have to pass by PHP to restrict access on the file -- which, yes, will be a bit slower than if using Apache directly to serve the content.

Also : here, you say :

I hope the user never will know the direct url to the image

Reading this, I suppose that your images can be accessed directly via Apache, bypassing your PHP script, if someone knows their URL ; security by obscurity is not good.

A better solution, if you don't want your images to be served by Apache would be to put them in a directory from where Apache will not serve anything :

• either a sub-directory of your document-root, protected by a .htaccess file containing "Deny from all"
• or a directory that is not under your document-root, and, so, will never be served by Apache.

Either way, this ensure only your scripts can access the files, and not Apache directly -- which means not a user bypassing the script.

Another idea, about the performance problem, might be to indicate the browser that it can cache your images -- at least, if that makes a sense.

For instance, you might be interested by HTTP-headers suchs as "Etag" and/or "Last-Modified".

Answer 2

Since you require that only logged in users view the image then I would say that you don't really have a choice when it comes to this. You will have to keep doing it like this until your site becomes insanely popular at which point you might be able to figure out a more efficient system for multiple servers using a lower-level access check than PHP (which costs a lot).

<?php

if($_SESSION['user']){

    $result = mysql_query("SELECT src FROM Media WHERE id = '"
    . mysql_real_escape_string($_GET['id']) ."'");

    $data = mysql_fetch_assoc($resultat);

    // Output the image
    header('Content-Type: image/jpeg');
    readfile("media/". $data['src']));
}

Answer 3

Pascal MARTIN is correct that readfile is essentially the same as echo and file_get_contents. I doubt there is any significant difference in performance, but it's clearer to use readfile.

As far as only allowing logged in users to see the images, put the images outside of your web-directory. Using readfile, you can grab the file from some other directory. That way, there's no way they could access it, even if they did guess the url.