What is Hotlinking?

Hotlinking is when another website links directly to one or more of your images or multimedia files and includes it on their web page. Not only is this theft of your intellectual property, but further more, you are paying for the bandwidth used by that site. Which can result in a problem with your budget.
The most common way to prevent others from hotlinking your content is Apache’s mod_rewrite. While this a solution that free available to use, there are a couple drawbacks. One being, that Apache has to be configured to use mod_rewrite (–enable-rewrite). Another one being, that for a lot of people writing regular expressions is not the most easiest thing to do.

Of course there are commercial solutions to the problem. Probably the most common one is cPanel. An administration interface for webserver, which let’s you create all the necessary items for your hotlink protection with a matter of clicks, in a matter of seconds.

Problems with common Hotlink Protection

While it may certainly sound promising to take the steps necessary to stop other sites from leaching your bandwidth, there are issues that can come about as a result. There is one major setback to all the server to prevent hotlinking that I have come across, and that is they all rely on using the HTTP_REFERER environment variable to work.

The main problem these days is that people are becoming more and more cautious about the way that web sites use their information. If you do decide to implement anti-leaching techniques that rely on the referer on your site then you should be aware that you could be blocking otherwise legitimate requests. A visitor who chooses to block or cipher their browsers HTTP_REFERER may have come from a page within your domain, but yet they will pass on any recognised values to the server and therefor will be stopped from viewing your images or downloading your files.

My approach to hotlinking

Whenever a surfer enters one of my websites, I always assign a session to him. The session holds a couple infos, for example: agent, IP, language, date, … etc., and gets passed along via cookie or via GET (as parameter to each one of my pages).

Since I deal with a lot of image content, I started databasing my collection. Which basically means that for administration and clustering purposes, I am saving all my images to a SQL database which is multi-homed and spread accross several servers. One could argue if that is a smart thing to do, but we can argue that on another day and in another article.

I wrote a little script which is used throughout my site:

<img src="http://htmlcenter.com/display.php?id=34" border="0" alt="" />

With an ever changing ID of course. That’s the part referencing my images in the database.
The following is the code from the script which I use to retrieve the image from the database:



$query="SELECT mime, file FROM images 

WHERE id=".$_GET["id"];

$rawdb=@mysql_query ($query,$connection);

if($rawdb AND @mysql_num_rows($rawd-->0){

  $array=@ mysql_fetch_array($result);

  if (!empty($array["fileContents"])){

    // Output the MIME header

    header("Content-Type: ".$array["mime"]}");

    // Output the image

    echo $array["file"];


    // something else...




  // something else...




Since I already have a session for each user that comes to my website, I just added the following:

<img src="http://htmlcenter.com/display.php?id=34&sid=383829" border="0" alt="" />

And implement a small session checkup in the script itself:



  // do database calls





The main advantage to my method is, that the session is entirely server side. A user can not rid himself off it, or fake information. Since I have a timeout and save all the necessary info (IP!) to validate against, it looks pretty perfect to me and fit my needs.

One of the setbacks here are resources and performance. But since I am not forcing you, you may test and evaluate. Hope that helps!