[FX.php List] Image Handling

Kevin M. Cunningham kcunning at alum.mit.edu
Thu Jan 25 16:49:37 MST 2007 

At 6:05 PM -0500 1/25/07, John Lannon wrote:
>Dear List,
>
>I am looking for ideas regarding secure serving of images from a FMP 
>database. How many people are utilizing the image proxy script 
>included with the current release of FX.php? Have others come up 
>with specific, more secure methods of fetching FM image data?
>
>I know this isn't a specific question, but I was hoping to solicit 
>some general input.

It's funny you should ask this, as I have been wrestling with this 
and came up with the following. Use a file (here named fmjpg.php for 
JPGs) to make the image query for your users, using the 
username/password data from a fmparams.php file. I imagine this has 
been done before, but I haven't seen it, and thought I'd pass it 
along.

=========================
<?php

/*
fmjpg.php - created by Kevin Cunningham, KCunning Consulting 
(www.kcunning.com).
This file retrieves photos from a FileMaker database. It is handled 
by this file to avoid the user having to enter (or being able to see) 
usernames/passwords.

Takes one argument: "recid" is RecordID of record containing image 
container field

This script is called, for instance, as the url for any graphics file:
<image src="http://<thisserver>/<path>/fmjpg.php?recid=1234">
*/

# include standard settings (database name, etc.)
# for best security, this file should not be anywhere in the www folder
include 'fmparams.php';

# $url components:
# note that it uses the "http://username:password@hostname/ structure
$url = 'http://' . $DBUser . ':' . $DBPass . '@' . $FMHost . 
'/fmi/xml/cnt/data.jpg?-db=' . $DBName . '&-lay=' . $DBLayout . 
'&-field=<mypicturefield>&-recid=' . $_REQUEST['recid'] ;

# send to browser header data for a jpeg
header('Content-type: image/jpeg');
# if you want the picture to be saveable by a standard name
header('Content-Disposition: inline; filename=picture' . 
$_REQUEST['recid'] . '.jpg');

# send data retrieved from FileMaker (here uses readfile; if enabled, 
could use cURL instead)
readfile($url);

?>
========================

Such a construction at least has the advantage that the end user can 
never see the username/password being used. And it can be queried 
with https if desired.

--Kevin
-- 

-Kevin M. Cunningham
  FileMaker 7/8 Certified Developer
  FSA Associate Member
  office: (617) 826-0257
  mobile: (617) 817-2978
  email: kcunning at alum.mit.edu
  web:   www.kcunning.com

More information about the FX.php_List mailing list