Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

.htaccess question

0 views
Skip to first unread message

Gina

unread,
Oct 27, 2009, 6:09:28 AM10/27/09
to
Hello all.

I am trying to hide files like images on my webspace.
Putting my .htaccess file below into root, it doesn't show up the images at
all anymore ... on thge page itself

this is my structure:
-------------
root/index.php
root/images/ ...
root/css/ ...
...

.htaccess:
------------
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule !\.(js|ico|gif|jpg|png|css)$ index.php
------------

TIA
Gina

Ed Mullen

unread,
Oct 27, 2009, 11:25:51 AM10/27/09
to

If what you want to do is prevent external linking to certain files on
your site try this instead:

# disallow deep linking to certain files
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://example.net/.*$ [NC] [OR]
RewriteCond %{HTTP_REFERER} !^http://www.example.net/.*$ [NC] [OR]
RewriteRule .*\.(gif|jpg|bmp|wav|wmv|avi|swf|mpeg)$ - [F]

--
Ed Mullen
http://edmullen.net
When God is amazed, does he say: "Oh my Me!"?

Gina

unread,
Oct 28, 2009, 4:29:29 AM10/28/09
to
Ed,
Thanks for your answer.

Sorry, hope I can make it any clearer now.

What I want with the .htaccess file is to prevent direkt acccess to images
when the source code is shown. I would like to prevent
the user typing the URL of e.g. an image and as a result see an empty page
with only the image or the user may type www.xxx.com/scripts/main.js and the
javascript file is visible.

I would like to prevent anything in the URL to be seen by the user on its
own - only through my webpage
file extensions: gif|jpg|bmp|wav|wmv|avi|swf|mpeg|css|php should be hidden

TIA Gina

"Ed Mullen" <e...@edmullen.net> schrieb im Newsbeitrag
news:383ov4....@news.alt.net...

Swifty

unread,
Oct 28, 2009, 6:47:34 AM10/28/09
to
Gina wrote:
> What I want with the .htaccess file is to prevent direkt acccess to
> images when the source code is shown. I would like to prevent
> the user typing the URL of e.g. an image and as a result see an empty
> page with only the image or the user may type
> www.xxx.com/scripts/main.js and the javascript file is visible.

I'm reasonably confident that you're asking the impossible. When a
browser fetches a webpage, it first fetches the HTML, then it looks
through for <IMG> tags, and then fetches those.

It would be almost impossible to allow the fetches above, yet block
fetches that were for just the image itself, as they appear almost
identical to the server.

I could think of a mechanism that just might work, where the HTML causes
a cookie to be set, and the <IMG> tag calls a CGI script that checks for
the cookie before returning the image. It would make your page fragile,
to say the least, and inaccessible (as far as the image is concerned) to
folks who disable cookies.

There are variations on the cookie approach, using server-side scripting
which may be more robust, but it's probably a lot of effort, with little
return. I'd need to be in danger of losing a serious amount of money
before I set off down this path.

--
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk

Ed Mullen

unread,
Oct 28, 2009, 11:47:47 AM10/28/09
to
Gina wrote:
> Ed,
> Thanks for your answer.
>
> Sorry, hope I can make it any clearer now.
>
> What I want with the .htaccess file is to prevent direkt acccess to
> images when the source code is shown. I would like to prevent
> the user typing the URL of e.g. an image and as a result see an empty
> page with only the image or the user may type
> www.xxx.com/scripts/main.js and the javascript file is visible.
>
> I would like to prevent anything in the URL to be seen by the user on
> its own - only through my webpage
> file extensions: gif|jpg|bmp|wav|wmv|avi|swf|mpeg|css|php should be hidden

I agree with Swifty that you're seeking what is likely impossible.
Also, I don't have to view the HTML source of a page to see the URL of,
say, an image. In most browsers it's as simple as right-clicking the
image and choosing among options:

- View image
- Save image
- Send image
- Copy image
- Copy image location (URL)

As the shopper placed her groceries on the checkout stand, the bagger
asked her paper or plastic? Doesn't matter, she replied, I'm bisackual.

Gina

unread,
Oct 29, 2009, 4:06:18 AM10/29/09
to
@ Swifty, thanks so much for your good explanation ...
going to be more difficult than I first thought to protect the images from
being copied for further use ...
so don't really happy about .. maybe I better forget that - for now ;)

@Ed, yes you are right with the right-click on images ...
so I use JavaScript
document.oncontextmenu = handleContextMenu;
function handleContextMenu(){
return false;
}
to stop it.

But lets say the lib folder where the php code is - how could I protect the
files in subfolders to be looked at ?

TIA
Gina


"Gina" <gingi...@hotmail.de> schrieb im Newsbeitrag
news:hc8vdf$t1r$03$1...@news.t-online.com...

Ed Mullen

unread,
Oct 30, 2009, 1:53:02 AM10/30/09
to
Gina wrote:
> @ Swifty, thanks so much for your good explanation ...
> going to be more difficult than I first thought to protect the images
> from being copied for further use ...
> so don't really happy about .. maybe I better forget that - for now ;)
>
> @Ed, yes you are right with the right-click on images ...
> so I use JavaScript
> document.oncontextmenu = handleContextMenu;
> function handleContextMenu(){
> return false;
> }
> to stop it.

And if I browse to your site/page and have javascript disabled in my
browser?

"Disgruntled?" If I'm not, then I guess I'm "gruntled." What the heck
is "gruntled?"

Swifty

unread,
Oct 30, 2009, 3:17:09 AM10/30/09
to
Gina wrote:
> @Ed, yes you are right with the right-click on images ...
> so I use JavaScript
> document.oncontextmenu = handleContextMenu;
> function handleContextMenu(){
> return false;
> }
> to stop it.
>
> But lets say the lib folder where the php code is - how could I protect
> the files in subfolders to be looked at ?

I think you are coming at this from the wrong direction. If you start
with the assumption that anything I can reach with my browser (but
without having to enter some authentication) is in the public domain,
just as if it had been published on the evening news.

If you have a need to prevent some people from seeing some parts, then
you have to consider authentication of some sort. How strong this has to
be depends on the content, and your motive for blocking it. If it's the
evidence you're going to give against the local Mafia boss, then it had
better be good.

Incidentally, the JavaScript above might give you a sense of security,
but I use a browser which doesn't implement handleContextMenu, and
anyway, I could turn javascript off. Even if this were not the case, all
browsers cache the stuff that they download (in case you return to the
page in the near future), so all I have to do is scan through the cache.
Those are files on my local machine; you're going to have a tough time
preventing me from accessing those (though you'll probably get a
highly-paid job with the RIAA if you do manage it)

Just remember what the first two W's in www stand for.

Ed Mullen

unread,
Oct 30, 2009, 12:33:32 PM10/30/09
to
Swifty wrote:
> Gina wrote:
>> @Ed, yes you are right with the right-click on images ...
>> so I use JavaScript
>> document.oncontextmenu = handleContextMenu;
>> function handleContextMenu(){
>> return false;
>> }
>> to stop it.
>>
>> But lets say the lib folder where the php code is - how could I
>> protect the files in subfolders to be looked at ?
>
> I think you are coming at this from the wrong direction. If you start
> with the assumption that anything I can reach with my browser (but
> without having to enter some authentication) is in the public domain,
> just as if it had been published on the evening news.

Umm, in public view, yes, but not "in the public domain." Publishing a
work isn't giving it away: The author retains copyrights.

Gina hasn't really said what her purpose is in wanting to "hide" things
on her site. I make the assumption that it's to protect material for
which she holds the copyrights. If so, at least in the USA, you can
generally establish a valid copyright simply by publishing the work.
After that, you have to actively work to ensure that you're properly
compensated if someone appropriates (with or without permission) your work.

However, as we've discussed, there is no practical way prevent a
Web-based resource from residing on my machine. That's just the way it
works.

The easiest way to find something lost around the house is to buy a
replacement.

0 new messages