我应该如何创建嵌入代码以将照片显示在其他人的网站上？ [英] How should I create embed code to display my photos on someone else's website?

问题描述

我的网站上已经存储了许多照片，我希望允许其他人在自己的网站上发布这些照片中的任何一个。我想做的是为每张照片创建嵌入代码，以允许第三方在iframe中发布照片（我使用的是PHP）。就像 Getty Images在这里所做的-允许其他人嵌入他们的照片。

I have many photos already stored on my website and I want to allow other people to publish any of these photos on their own websites. What I'm trying to do is create embed code for each photo to allow third parties to publish a photo within an iframe (I'm using PHP). It's just like what Getty Images have done here - allowing others to embed their photos.

Getty的嵌入代码使用iframe，图像/网页的源代码如下所示：

Getty's embed code uses an iframe with the source to the image/webpage being something like this:

src="//embed.gettyimages.com/embed/488344275?et=-AesBiwMQb5LLh6krfjSJw&sig=nxsiL6uBhQNOeWxMs0-04_TmimSD3-PcKaqmf-Y_xTs="    

我的问题是我不知道创建/引用图像/页面的最佳方法。盖蒂创建了一个新页面来托管每个单独的图像，使它们可以添加标题等。我的图像不在数据库中，它们仅包含在某些文件夹中，我将它们显示在我网站上，

My problem is that I don't know the best way to create/reference the image/page. Getty has created a new page to host each individual image, which allows them to add captions etc. My images are not in a database, they are just contained in certain folders and I display them on my website with a foreach/glob script.

要显示iframe的目标源页面，我可以有一个PHP模板，该模板通过嵌入代码指定了唯一的图像文件名。

To display the iframe's target source page, I could have a PHP template which is given the unique image file name by the embed code.

src="//embed.mydomain.com/embed/embed-image.php?path/to-the-photo"

然后，PHP模板显示正确的图像和任何适当的图像元数据。我确定这会带来很多安全隐患-有更好的方法吗？

The PHP template then displays the correct image and any appropriate image meta data. I'm sure this comes with lots of security implications - is there a better way to do this?

推荐答案

我很漂亮确保Getty不会为每个图像创建一个新页面。他们可能只使用 htaccess 将图像请求重定向到处理该请求的脚本。也许像这样：

I'm pretty sure that Getty doesny create a new page for every single image. They probably just use htaccess to redirect the image request to a script that handles the request. Perhaps something like:

//this will allow alphanumeric id's with _ and -. You could alter to only allow numeric by only using [0-9] instead of [a-zA-Z0-9_-]
RewriteRule ^embed/([a-zA-Z0-9_-]+)$ embed.php?id=$1
RewriteRule ^embed/([a-zA-Z0-9_-]+)/$ embed.php?id=$1

现在的请求如 / embed / hash6834hfds 或 / embed / hash6834hfds / code>将重定向到 embed.php？id = hash6834hfds 。现在，您可以使用 embed.php 文件显示正确的图像。

Now a request like /embed/hash6834hfds or /embed/hash6834hfds/ will be redirected to embed.php?id=hash6834hfds. Now you can use the embed.php file to show the correct image.

这有多安全，完全取决于您对 embed.php 的实现，但是这项工作像任何请求一样，您应采取同样的谨慎和谨慎态度。要记住一些事情，但不仅限于此：

How secure this is, depends completly on your implementation of embed.php, but as this work like any request, you should apply the same caution and messures. Some things to keep in mind, but not limiting to:

• 检查ID /哈希是否符合您的期望（数字/ aplhanumeric / etc ）


• 如果您在查询中使用它来获取元数据。始终确保其不用于mysql注入


• 如果您担心有人在窃取图像，请不要使用序号

即使您想使用自己的解决方案，向脚本提供PATH作为参数也不是问题。只要确保您不使用服务器上位置的完整路径即可（例如：不要在 c：\inetpub\wwwroot\images\image.jpg Windows，但使用 \images\image.jpg ）

Even if you want to go with your own solution, it's not a problem to supply a PATH as a parameter to your script. Just make sure you dont use the full path to the location on the server (EG: dont use c:\inetpub\wwwroot\images\image.jpg on windows but use \images\image.jpg)

此外，如果确实收到完整路径，请确保它是您所期望的。人们可能会使用 \images\..\index.php 移到您的根文件夹。甚至最糟糕的是一直到系统文件夹。首先也是最重要的检查是它只是他们所请求的图像。如果他们确实使用某种奇怪的方式绕过了文件夹检查，那么如果他们只能访问图像，那么您仍然相对安全。

Also if you do receive a full path, make sure it is what you expect it to be. People could be using \images\..\index.php to move to your root folder. Or even worst all the way to a system folder. First and most important check is that it is just an image they are requesting. If they do use some exotic way to bypass your folder check, if they can only access images you are still relatively safe.

无论使用哪种方式，如果使用 PHP 来实际显示图像，您正在使用所需的更多资源。因此，如果您希望吸引大量访问者或关心性能，请不要使用 PHP 读取文件并使用正确的标题输出它。

Whatever way you go, if you use PHP to actually show the image, you are using more resources then needed. So if you expect a lot of visitors or care about performance, dont use PHP to read the file and output it with the correct headers.

我个人的投票将是使用以下程序

My personal vote would be to use the following procedure

• 索引所有图像您可以将其保存在文件夹中，并保存到数据库的路径。


• 为数据库中的每个图像以及您希望用户看到的元数据存储唯一的密钥。


• 使用 htaccess 将唯一密钥链接到PHP文件


• 在 PHP 文件检查散列是否链接到数据库中的图像


• 用< img src = >> 标记为网站公共路径上的实际图像

• Index all images you have in your folder and save the path to the database.
• Store a unique key with each image in the database and the meta data you want users to see.
• Use htaccess to link the unique key to a PHP file
• In the PHP file check if the hash links to an image in the database
• Show the meta data with php a long with an <img src=""> tag to the actual image on a public path of your website

：不确定您是否理解 URL 的 //：部分是什么，但这意味着使用与本网站使用的协议相同的协议。这意味着，如果有人使用 HTTPS 将您的图片/ iframe嵌入网页中，它也会以 HTTPS 的形式请求您的网站，因此，请确保您的服务器可以处理它。

On a side note: Not sure if you understand what the "//:" part of the URL is, but it means "use the same protocol as this website is using". Meaning that if somebody embeds your image/iframe on a webpage using HTTPS, it will request your site also as HTTPS, so make sure your server can handle it.

仅使用 HTTP：// 或没有有效的 HTTPS 服务器，意味着将您的图片嵌入安全网页的任何人现在都被标记为不安全。显然，这是不明智的选择。

Just using HTTP:// or not having a valid HTTPS server, would mean that anybody that embeds your image on a secure webpage, is now marked as being unsecure. Obviously that would be an unwise choice.

这篇关于我应该如何创建嵌入代码以将照片显示在其他人的网站上？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！