Hi, I was thinking whats the best way to change the image source url on a image in PHP or any other language. First, let me say I dont want to hide the source image url because of hotlinking or because I want to hide the source. The reason is just because Im pulling the image via a HTTP api and the user and other ID values are in the url. So someone clicking the source image can see them. They dont represent a security issue either, but you could in theory change the ID and pull other images with stats from other users that dont belong to the user that is pulling them. So the best is just to hide the full url where the image is coming. So instead of an image souce being like this: domain.com/api?user=test%id=833 It would be just something like domain.com/image.png I could fetch the image via fopen and store it in the server, but then I would need to create a master PHP cron to run all the fetching which basically defeats the idea of pulling them live from my API system. Or what I thought is maybe change the url with mod rewrite. Another way was to get them in PHP and reprocess them with an output. The problem I see if that this as far as I have read doesnt work with PNG and you lose image quality (not so important) and this is servers hungry. Is there a good and simple way to do this?
You should hash (+ salt) those numbers in the URL so as to render them useless even if someone were to realise them. This would also stop anyone from guessing subsequent numbers to retrieve other data, like you said. Alternatively, you can use PHP's GD graphics library to generate an on-the-fly image which is referred to in the image source, just like how PHP based captcha works. You can see mine for example here: www.tothedepths.com/?view=contact
I not sure hashing would work, as this numbers need to be correct for the API to generate/pull the images. If they are hashed it would not work anymore, unless you mean hashing the output which leaves me again with problem 1. I would like to modify the whole url not just the IDs or other data on it. This means the original url send cannot be changed, otherwise you would not get any data back, just the output needs to be changed. As anyone can click on the imagen they can look the source url.
I didn't realise you're using someone else's API. Hashing wouldn't be a fitting solution then. If this was a case of your own programming I'd be able to aid you in adapting it but APIs bring more variables and structure to understand. As far as I know you can't stop someone from viewing source and links as the HTML is downloaded by the browser, thus rendering it to the client.
It is my API but I did not coded it. Its hosted in another server, I use API calls to pull out the data and show them to users. An option is to create one API account for each user and limit the the user only to those specific stats/images. But this is ratter a bad solution. I prefer to use one central username, the password is already hashed, still you can see in the url where the API server is, and the image IDs, and the username. This is enough data I dont want to show.
In that case you need to write a script that will do the +salt trick and will be a wrapper to the api when accessing the images. Front end -> Wrapper -> Api -> Wrapper -> Front end
Hi jazzcho, I'm not sure I follow you. I thought it would be just something as this: API > Wrapper (which hides the url) > Front end The urls needs to be send to the API server basically intact, unless I want to complicate myself to much. Once image responds back I could wrap the url and change it, or actually repack the image so it resides in the local servers where the PHP is executing. Currently the images are on the API server. So one solution I thought was pulling them out, on the fly and saving them temporary and show this temporary images. This would show the local temp path and not the api remote call. The only downside is that it would be just a bit slower as instead of showing the images from where they are, PHP would be doing more work to display them. Im wondering if all this is just not easier with mod_rewrite and some rules that change the API url (at least the one that is displayed) when they are executed. As just changing them visually would already work in allot of ways. Im not a programmer so ideas are welcome other wise I would not be posting there
Write your own basic encryptiom @nibb. For example, have the string variables converted to their ASCII numbers and the numeric variables multiplied by a large prime number only you know, then before the API handles it convert them back.
But that just doesn't make sense. I don't want to convert them and then reconvert them back so the API can read them. Its not from the API server I need to hide the urls. Its exactly the other way around. From web visitors. I put a a http API request in my server. the API server receives this and shows a simple image. The API servers cannot encode or modify anything at all. In that case what you guys probably mean is that the script sends the url just like they are to the API server, and then encrypts this urls. Whats wrong with using mod_rewrite? Which is exactly this. What you say is 10 times more complicated then just using mod_rewrite rules, that just to convert the in the apache web server and transforms the urls in the fly.
I know it's not the API you're hiding it from, that's not what I said. What do you mean the server cannot do certain things? Make it do what we're saying. Use mod_rewrite then if you can.
Impossible. I did not created the API, its on my server, but its proprietary software, so I cannot change it. Not a least without breaking the software license and having to do this on every single upgrade that comes out. Breaking the code to make it work like I need is just to expensive, time consuming it would not make sense in order to the result I want to achieve, which is a simple as "show the image" but not show where it comes from, or make it look it comes from somewhere else, in the end all I want is just to hide the parameters used in the url.
OK mate, but as I said before, using someone else's API makes thinks a lot more complicated. I doubt anyone will have the time to be able to look into your case thoroughly enough to be of any help. I'd suggest offering paid work for this problem.
Why not just encode the image in a file like this? <?php $image = base64_encode(file_get_contents("http://example.com/image.png")) ?> <img alt="Embedded Image" src="data:image/png;base64,<?php echo $image?>" /> Thats funny, this works just fine with any image but no with my rest API url, probably because it contains & and other = characters in the url. I get a broken image if I put my api call that pulls the image.
Hi @nibb, In your html output (the pages that people see), you do not want links like http://myapiserver/image.php?id=1 You cannot change the api to not have the id=1 part. You can change the code of your own pages (the ones that output the html to the user) So, what I am saying is: Your code outputs html with links like http://myserver/mywrapperscript.php?id=vdfdsFfsdfwRfSDFW Code (markup): That wrapper script connects to the api in the way the api expects it, gets the image and serves it to your page I hope it makes sense now.