If its outside the html root you would need to create a symlink pointing 
to the appropriate folder

%> ln -s /path/to/hidden /path/to/public *however this is very insecure

Then if your wise you could create a simple image serving script to 
prevent direct navigation by checking the referring page request vs. an 
array of allowed script names, the folder and filename being requested 
etc. Kind of like an intermediary to ensure your (*assumed world 
readable and writable) images directory is somewhat unusable except by 
your scripts.

If you did it in this manner you could simply call the image as you 
would regularly.. <img src=image/image.jpg>

Of course this is all theoretical as I have never done this before but 
if you also block your upload script (*an assumption based on the 
question) you could limit it using apache hosts_allow and hosts_deny 
directives.

Or you could use your upload script to copy the files to the server, 
then once the application publishes the site you could use it to copy 
the image files from the writable directory (above the web root) into 
the public images directory.

The best method would require the following:
1. a sub domain with limited access using apaches hosts_allow and 
hosts_deny directives
2. a world read/writable folder located outside of the web root
3. script prevention by checking referring scripts as well as perhaps an 
internal allowed ip range directive
4. a command line, crontab entry to move image files from the world 
read/writable folder into the public/images folder

You should look into linux folder and file permissions vs. the user and 
group that is running as your web server. Just a few suggestions. Keep 
in mind that the only real way to keep your stuff secure is to cut the cord.

elk dolk wrote:
> On 3 February 2010 16:07,   wrote:
>
>   
>> I currently have all my images referenced by url in my database and stored
>> in a folder/s and I think I will keep it that way...
>>     
>
> ..............................................................
>
>   
>> If you put the images OUTSIDE of the webroot/docroot/public_html
>>     
> folder (whatever you have), then a user cannot directly navigate to
> the file.
>
> e.g.
>          /home/sites/your_site/public_html/images/image1.jpg
>
>          http://www.yoursite.com/images/image1.jpg would probably work.
>
> But ...
>
> /home/sites/your_site/public_html/getImage.php
> /home/sites/your_site/hidden_images/image1.jpg
>
>   
>> Now, there is no way I can load image1.jpg from my browser. I have to
>>     
> use getImage.php, which I assume would require me to login or
> authenticate myself in some way.
> ----------------------------------------------------------
> I have my photos in /public_html/img/gid directory and with this path:
> <img src='http://www.mydomain.com/img/{$gid}/{$photoFileName}' in getImage.php the server displays the photos.
>
> Now if I put my photos outside of the public_html like this: 
>
> /hidden_images/img/gid
>
> what would be the correct path to the photos in the getImage.php script?
>
>
>
>
>
>       
>
>   


-- 
Jas