How to stop access of a PHP file from other sites

How to stop access of a PHP file from other sites - .htaccess files are extremely useful in many cases for users who either do not have root permissions or for users who simply aren't comfortable in making changes in their web server's configuration file. Trying to debug .htaccess not working isn't always the easiest thing to do, however, hopefully by checking the discuss below mentioned about php, htaccess, images, hotlinking, .htaccess common problems as well as the troubleshooting tips, you'll have a better grasp on what you may have to modify to get your .htaccess file running smoothly.Problem :

I read somewhere about hot linking of images. Preventing image hot linking helps to stop bandwidth theft from your site. Would it work for a PHP file?

In my case, I am using a PHP file to generate thumbnails from an image. I don't want others to refer this PHP file from their site.

Solution :

One programmatic way is to check the referrer to make sure the request came from your site:

<?php
    $yoursite = "yoursite.com"; //Your site url without http://
    $yoursite2 = "www.yoursite.com"; //Type your domain with www. this time

    $referer = $_SERVER['HTTP_REFERER'];

    //Check if browser sends referrer url or not
    if ($referer == "")  //If not, set referrer as your domain
        $domain = $yoursite;
     else 
        $domain = parse_url($referer); //If yes, parse referrer
    

    if($domain['host'] == $yoursite || $domain['host'] == $yoursite2) 

        //Run your image generation code

     else 

        //The referrer is not your site, we redirect to your home page
        header("Location: http://yoursite.com");
        exit(); //Stop running the script

        
?> 

Edit

This article presents an alternate method using PHP sessions.

this example is for image even you can do same for any file type
You could make that folder not accessible from the web (e.g. place the folder outside htdocs or add .htaccess rules ).

Create a PHP script which handles all requests to the private images. This script would have to do the following:

-check if the user is authenticated

-check if the user is authorized to view the requested image open the image and print it to the browser

(you need to set correct http headers to make sure the content is treated as an image)

Demo

getimage.php

  if (LoggedInUserCanAccessThisFile())//this is optional user define function as requirement if you want that only login user can see image then with the help of your session variables or cookies you can return this function true or false 
    
    $file = 'privatedir/image.jpg';
    $type = 'image/jpeg';
    header('Content-Type:'.$type);
    header('Content-Length: ' . filesize($file));
    readfile($file);
    exit();
    

home.php/otherpage.php

<img src="getimage.php" />

(you can use src="getimage.php?userid=123" and get into getimage.php and check is this user logged in or not for showing image)

(also you can use src="getimage.php?userid=123&imgfilename=image3.jpg" for dynamic images code and get into getimage.php as

$file = 'privatedir/'.$_GET["imgfilename"];

)

Additionally, if you would like to do some further testing, give the htaccess tester tool a try. It allows you to specify a certain URL as well as the rules you would like to include and then shows which rules were tested, which ones met the criteria, and which ones were executed.