hi i am trying to keep people from hotlinking my images, but from what i have read about htaccess it will also block those that wish to use the url for lagit purposes...

here is the break down

i have an image gallery, my lagit members need to be able to post the url of their albums and pics on their lagit pages of their sites and thats ok but i dont want just anyone to just pull up the site and grab the link to the pic and post it...

the way i have it set up now is that all anymember (other than paid) sees is a thumbnail unless you are a paid member, not even basic registered members can see their full size images, i did this for security issues..

now i find out that there is still a hole in my plan, if someone wanted to all they had to do was to manipulate the url on the properties window and whalaaa there is the full size image...

so can htaccess help me with the property window or the display on it....  or is there another process i need to look into...  

i understand the lessor two evils might be to just use the htaccess i have made up already and make it live, it will stop all hotlinking but i guess thats the only choice i have.  or is it?

Can you give an example (made up names) of an image that you want to protect -- who can do what with it?

Just to make sure you understand what "hotlink protection" is about, the idea is that other sites directly link to your images for display on those sites. They are stealing your storage space and bandwidth, while gaining having your nice images showing. This has nothing to do with whether someone (or some site) is allowed to see an image at all. In .htaccess, "hotlink protection" redirects requests for images (usually all .gif, .jpg, .jpeg, .png, etc.) to some sort of failure: an error message image, a 40x code, a bit of gay porn, a redirect to fbi.gov,... you get the idea. That's in a RewriteRule. Before that, RewriteCond statements are used to build a whitelist of sites (HTTP_REFERERs), including your own that are permitted to show the image (they are exempted from hitting the RewriteRule). That's the basic plan -- you can go crazy with all sorts of variations and finer-grained control if you want, based on file names, file types, information about the requester, etc.

Javascript-based protection, such as "right click disable" is incredibly easy to get around -- all the thief has to do is disable JS on his browser. Properly set-up .htaccess shouldn't be evadable, so I think your information is wrong.

Please elaborate on what you're trying to accomplish: "I have a thumbnail and a full sized image. I want random visitors to see nothing. I want unpaid members to see only thumbnails. I want paid members to see full sized images. I don't want any other site to hotlink to either image." Something like that? I think the area you want to be looking in is more along the lines of password-controlled access and access rights by group membership, rather than just hotlinking protection.

So it sounds like all the path and name information you need is in the thumbnail, and from there anyone can figure out how to get to the full sized image? Have you thought about giving completely different names to the three sizes of image? You would assign some long random (say, 16 letters and digits) filename to each image when you load it in. Instead of MyFunnyCat-thumb.jpg, MyFunnyCat-mid.jpg, and MyFunnyCat-full.jpg, you would have dofe86cfdlwx78.jpg, jcopf7693kgf778.jpg, and iffd93jfds908ds00.jpg. No obvious pattern to the names. Sure, it would be more inconvenient for those who have to type in the name, but that's what links and cut-and-paste are for. Use 21 consonants (or 42 upper and lower case) plus 10 digits, so you won't accidentally form any nasty words.

Your members would be able to distribute the image names to anyone they want to. Once the names are out "in the wild", of course some will end up being stolen or hotlinked, but that's the risk people take when they give out links. One way to handle this might be to wait for reports of hotlinks, and then add those sites to an .htaccess hotlink protection that uses a blacklist instead of a whitelist. Or, if you expect the rate of requests to be low, you could do the whitelist method and add sites (permitted to display) as requested. With the right coding, these could be white- or black-listed on a per-file basis.

It might be a bit beyond your present coding capabilities, but it doesn't have to be done in .htaccess. Give a bogus directory in the links to the images, and a PHP script will be invoked upon the 404 error. Strip off the bogus directory (to get the proper path and name) and check the HTTP_REFERER against a list of permitted and/or blacklisted domains kept for each image. If forbidden, redirect the request to some kind of failure as described earlier. If allowed, let it proceed by redirecting to the real path and name. The beauty of this is that you could throw the burden of whitelisting and blacklisting on to the image owners -- they would have to type in permitted domains (or forbidden domains) and it would be stored in a database. Anyway, something to consider for the future.

Your link gave me a 404 error, so I can't see what you've done already. Presumably you can handle the memberships and paid memberships, and access control for that part?

OK, you can always do nothing ("watchful waiting") at first. If you decide you need to do something to protect images, you have several options you can be mulling over in the mean time.

I don't think there's anything that will scream "hotlink!", but you should be able to check your site access logs (in the control panel) to see what images are being pulled up from outside your site, and by whom. Filter out your own site and filter out command-line accesses, and what's left are probable hotlinks.