Image Request Launches Script

When an image is requested from the server, which the HTML img tag does, the request can cause a PHP script on the server to launch.

This is different than a request via a script that responds with an image. Instead, it is a request for an image that then triggers the PHP script behind the scenes.

In other words, not this: Using a script to load an image.

<img src="https://example.com/script.php?https://example.com/subdirectory/image.jpg">

Instead, this: Loading an image directly (which triggers a script):

<img src="https://example.com/subdirectory/image.jpg">

I'll show you how to do it.

But, why?

Although I've used it for various solutions over the years, my focus was recently been brought back to it when I needed to have as accurate a count as possible of real humans visiting a page.

I'll get back to that in a moment.

When an img tag is used to request a script that is supposed to respond with an image, it takes little coding to recognize that.

When the img tag's src attribute value is a URL to script.php or other script file name, it is obvious that a script is being run. (This is the way many tracking pixels are delivered, especially for measuring email opens.)

On the other hand, when the img src URL ends with .gif, .png, .svg, .jpg, or .jpeg, it can be assumed the image is being loaded directly. Yet, a script on the server can still be run.

It is a way to measure email opens with a real image request even where 1-pixel image URLs may be ignored.

And also for what I recently used it for, to obtain as accurate a count as possible of real humans visiting a page.

When the image src URL is to a known image filename, then spiders assume a direct image request. Spiders and bots have no reason to know the image also runs a script.

A regular page load counter would count spiders and robots as well as humans who access a page. A sophisticated counter would ignore known search engine spiders. But robots that pretend to be regular browsers can be virtually impossible to detect.

There are lots of robots. In addition to the regular search engine spiders, there are testing and checking bots. As an example, when a URL is posted on Twitter, one or more spiders visit the page at the newly-posted URL. Also, some spiders roam the internet and all the while spoof themselves as regular browsers.

What I wanted for my project was a count only of humans using browsers.

The way I used the technique is when an image was loaded it launched a script that logged the IP address and user agent identification (how the browser/spider/bot identifies themselves). It was my image-load log.

Most spiders and robots that spoof themselves as regular browsers don't automatically load images, which kept them out of my image-load log. Generally, the spoofers slurp only the page source code.

The image-load log then, had entries only of those who loaded the tagged image.

To determine a page load count, known spiders were removed first (googlebot and other legitimate spiders often will load images). What is left is, mostly, a human count. I say "mostly" because there may be some requests by spoofing spiders that also request images.

As an aside, it is truly amazing to me how many spiders visit a website, especially sites that have been around for a decade or two, like Willmaster. It can make it tough to get a real human visitor count.

In my case, I wanted only a visitors, not page loads. If I had wanted page loads, I would have done something to prevent the browser from using the cached image on subsequent page loads — so it would be required to request the image again.

An example of what I did will be used to show how a script is launched when an image is requested with an img tag.

The system has four parts:

1. An image file for the image that will be displayed on the web page or in the email.

2. A PHP script that does the actions you want it to do and then, as its last action, sends the image to the browser or email reader.

3. An .htaccess file to redirect the image request to the script.

4. The img tag.

The Image File

Make a note of the URL of the image file. You'll need it for the script. This article assumes the image file is at https://example.com/image.gif

The PHP Script

Below is the source code of the PHP script I used for the human-only page access log (updated for this article).

<?php
/* Logging Script
   Version 2.0
   June 21, 2021
   Original version, Feb 2, 2021
   Will Bontrager Software LLC
*/
$ImageURL = 'https://example.com/image.gif';

$LogFileName = __DIR__.'/humanaccess.log';
file_put_contents( $LogFileName, date('r')."\t{$_SERVER['REMOTE_ADDR']}\t{$_SERVER['HTTP_USER_AGENT']}\n", FILE_APPEND );

preg_match('/\.([^\.]+)$/',$ImageURL,$match);
header("Content-type: image/{$match[1]}");
echo(file_get_contents($ImageURL));
?>

Notes:

1. Replace https://example.com/image.gif with the URL of the image file.

2. The next 2 printed lines are where the logging occurred. You would replace those lines with whatever you want the script to do when the image is requested. They may even be commented out or deleted.

3. The last 3 lines (colored purple) are the last active lines of the script. It is where the image is sent to the browser or email reader.

Upload the script to your server and make a note of its URL. You'll need the URL for the .htaccess file.

The .htaccess File

Although not required to be done exactly this way, to reduce the chance of file name conflict I suggest creating a separate directory on your server where this .htaccess file can reside. This article assumes a special subdirectory named special was made for the .htaccess file.

redirect 301 /special/image.gif /php/script.php

Notes:

The URLs in this .htaccess file are relative URLs. Relative URLs are the absolute URL with the protocol and domain name removed. As an example, if the absolute URL is https://example.com/special/image.gif then the relative URL is /special/image.gif

1. When you specify a URL for the img tag's src attribute (in the next step), it needs to include the directory where the .htaccess is located, along with an image file name.

   Replace /special/image.gif with the relative URL you will use for the img tag.

2. Replace /php/script.php with the relative URL of the PHP script in the previous step.

Upload the .htaccess file into the special directory you created for it.

If you did not create a special directory and your destination directory already has an .htaccess file, add the above .htaccess line to the current .htaccess file.

The img Tag

Now that all the pieces are installed, an img tag can be created to test the system. Here is an example.

<img src="/special/image.gif">

If your test page is on a different domain or on your hard drive, the relative URL will break and will need to be made into an absolute URL.

<img src="https:/example.com/special/image.gif">

Replace /special/image.gif with the URL you specified in the .htaccess file.

Testing

Load the page and see if the image shows up. If it does not, go back through the code to find where something is wrong.

Here are things to check:

1. The value of $ImageURL in the script must be to an existing image on the internet.

2. The relative URL for the image in the .htaccess file needs to be identical to the relative URL for the img tag.

   Note: The URL in the .htaccess file must be relative. However, if the URL in the img tag is required to be an absolute URL (used on a different domain, for example), the img URL can be made into an absolute by adding the protocol and domain name to the relative URL copied from the .htaccess file.)

When it passes the tests, you have a system where an image request also launches a script — without revealing that a script will run.

(This article first appeared with an issue of the Possibilities newsletter.)

Will Bontrager