On-The-Fly Image Generation in PHP

views:

answers:

+1 Q:

On-The-Fly Image Generation in PHP

I'm developing a script that will allow people to generate a banner for them to use. It's customizable. During the customization process, I'd like to be able to have the banner reload on the spot. So they could see the changes. Once they create the banner and are completely done with it I would give them a link for them to use. This link be a cached version of the banner and would recache every so often. Is there any way I can prevent them from abusing my on-the-spot generation to prevent excessive server load? Is there a way that I can make it so only my JavaScript can regenerate it?

Any help is greatly appreciated! Thanks!

+1 A:

You probably need to defend against images that are loaded too often, regardless of whether this comes from abuse or from having too many actual visitors. You can allocate a maximum number of refreshes for a given time period (depending on how loaded you want your server to be) for each image, and determine for each request whether you should generate a file or return a static error image.

Victor Nicollet 2010-01-09 00:00:08

I also like the idea of limiting refreshes on a per-image basis. I could hash all the configuration options together but them in the db with a timestamp and then compare future usage of those images. Probably a combination of all three answers here would provide the best result.

kmark937 2010-01-09 04:40:11

+1 A:

Comprehensive logging & session tracking will help out with the problem. You can use a session variable to track a usage of banner generation on a per-user basis. Back this up with logging the activity coming from each IP address. Deny excessive requests from heavy usage users and IP addresses.

I would imagine there may already exist software & hardware tools for managing resource usage by IP that you could drop-in without custom-coding it for your application. I would try asking this question on ServerFault as well.

pygorex1 2010-01-09 00:02:14

I like the idea of using sessions. If they went over a certain limit then they would need to provide a CAPTCHA from time to time.

kmark937 2010-01-09 04:38:16

+1 A:

You could check the referer to make sure that the requests to your on-the-fly code are coming from your site and not being hotlinked.

Annie 2010-01-09 00:04:07

I like the simplicity of this approach but unfortunately referrers can be spoofed. :(

kmark937 2010-01-09 04:00:47

I know that an individual user can use a proxy or browser add-on to spoof referrers, but how can a third-party website use referrer spoofing to make hotlinks work? I'm not saying it's impossible, I'm really curious because I can't find anything on it searching the web. If you're worried about malicious users hitting urls over and over, you should probably ask about DOS prevention on ServerFault.

Annie 2010-01-09 04:31:53

I'm more worried that people would just put the link in an img tag slap it on their page. I may use referrer checking along with another solution for the best effect.

kmark937 2010-01-09 04:35:49

Yeah, I don't see how referrer checking isn't enough to stop them from slapping the wrong link in the img tag on its own. What am I missing?

Annie 2010-01-09 04:45:32

Well, it might not be just slapped in an img tag, it could be called via JavaScript. That was more of an example. I simply can't risk this thing being accidentally or purposely abused. But I'll definitely put in referring checker since that'll probably work for most cases. +1

kmark937 2010-01-09 04:54:52

ansaurus

tags:

views:

answers:

On-The-Fly Image Generation in PHP

related questions