PDA

View Full Version : image protection



jcsierra
09-29-2010, 06:11 AM
1) Script Title:

Online Tools: .htaccess Password Generator

2) Script URL (on DD):

http://tools.dynamicdrive.com/password/

3) Describe problem:

Hi! Im building a flash website for a friend that loads an xml with the list of images of the site. He wants his images protected, so no one can download them, specially because the images will have a rather good resolution, so his work could be copied. If anyone finds the xml it would be like handing them a list of images and their locations, so I thought that the best way would be to configure an htaccess so even if you know where the images are, the browser cannot get to them. Is that possible? How can it be done? Im actually an industrial designer so my programming skills go as far as Action Script (no php or asp)... Im not really worried about a printscreen because the flash file has a couple of interactive elements on top of the image. Any help would really be apreciated!

traq
09-29-2010, 01:46 PM
If all the images are in the same directory, just put an .htaccess password (http://tools.dynamicdrive.com/password/) on that directory.

You should note, however, that regardless of how difficult you make it for people to download your images, they will still be downloaded with the flash file. If people really want them, they have them. Your alternative is to use lower-resolution images. Read more (http://dynamicdrive.com/forums/showthread.php?t=48916) (post #4 may be relevant to your issue).

jscheuer1
09-29-2010, 01:54 PM
Something I was wondering about this, and I really don't know. If you were to do that, might that prevent the images from being shown at all?

traq
09-29-2010, 03:06 PM
your scripts should still be able to get the images. I know it doesn't affect php scripts running on the same server, but it would affect things like <img> tags in your own html. But I don't know about flash, exactly. not my area

jscheuer1
09-29-2010, 03:58 PM
Well PHP has no problem because (I would imagine) it's the server making the request for the file, not the browser. So it depends upon what's requesting the image file. If it's the swf via the Flash plug in of the user's browser, that would probably not work unless the Action Script of the swf somehow supplies this password. And then, a clever would be image thief could get that password from the swf file. But it would certainly be more difficult than just finding the image address. The password should not be put in the xml file though, however tempting that might be.

djr33
09-29-2010, 08:39 PM
A .htaccess password will block ALL incoming connections to that file, unless a valid password has been entered. This includes ANY request from the user-- img tags, directly downloading it, loading it into an SWF, whatever.
PHP is, as you said, an exception because it is getting the files locally (on the server, in a nearby directory) rather than making a request to the server-- in fact, for PHP or something else operating on the server, the "server" software (including .htaccess) is completely irrelevant.


Here's the bottom line: if people can see the image, they have already saved it to their computer (and can access it other ways, such as directly visiting the URL). The end. There's no way around that.

If you want to get into something really messy, I suppose you could look into a flash media server. Honestly that sounds like a terrible idea in this situation (and expensive).

traq
09-29-2010, 11:04 PM
So it depends upon what's requesting the image file...

exactly. and I don't know much about how flash works, so... :)

djr33
09-30-2010, 01:50 AM
It doesn't depend on what's requesting it at all: the only exception to the server denying a request without a password is if it's an internal request from PHP (etc). Otherwise, you simply can't get at the file.
Even if you could set it to only allow requests from flash, users could build a SWF to grab it.

jscheuer1
09-30-2010, 02:55 AM
It doesn't depend on what's requesting it at all: the only exception to the server denying a request without a password is if it's an internal request from PHP (etc)

Excuse me, it does depend. It depends upon whether its the server or the client, as I said:


Well PHP has no problem because (I would imagine) it's the server making the request for the file, not the browser. So it depends upon what's requesting the image file.

But this isn't really a disagreement, if anything - it's a misunderstanding, more like being quoted out of context.

traq
09-30-2010, 05:46 AM
It doesn't depend on what's requesting it at all: the only exception to the server denying a request without a password is if it's an internal request from PHP (etc). Otherwise, you simply can't get at the file.
Even if you could set it to only allow requests from flash, users could build a SWF to grab it.

Yes,

What I meant was I didn't know enough about how flash works - if it's assembled server-side and then output (in which case it might work just fine), or if it's output first and then the flash player sends requests for all the components (in which case, it wouldn't work at all).

I had initially (during my first post) thought the former, but after reading your replies, I suspect it's probably the latter. As John said, I think we just misunderstood each other.

In any case, the second half of my post stands: if they want it, they have it. :)

djr33
09-30-2010, 11:22 PM
The idea of a "request" implies that it is remotely asking the server for a file. If there is some internal process on the server that gets around this, that's fine. But using an xml list like in the description here won't help.

If the image is embedded into the .swf itself, that's possibly a way around it, but it would require a lot more effort than just an xml list.

Actually, PHP has SWF generating functions, but they are very limited. Theoretically it might be possible to approach this that way.


However, if the file is embedded into the SWF, then by saving that SWF (which couldn't be protected and still used properly) would give you the file, if you were able to reverse engineer it. Of course that's a lot harder than saving an image...


Aside from that, everything you've said is correct. I'm just clarifying: there's no possibility that flash would be "different" because it would still be the user's computer (browser) requesting the file, not an internal request on the server.