Right now I am using base64 to control who has access to images on my website. I store these images outside of the webroot directory so no one has direct access to them. I then determine who has access to these images by what records they have access to in a postgresql database. Basically if they can query record “a” then they can see picture “a”.

if (file_exists($pic)) {
    $imgbinary = fread(fopen($pic, "r"), filesize($pic));
    $picbase64 = "data:image/gif;base64," . base64_encode($imgbinary);
    echo('<img src="' . $picbase64 . '" />');

How can I use readfile instead of base64 while still maintaining my security? For example when using the readfile method to deliver the images to the clients browser this requires me to use the $_GET method to send a variable to a php script that has the readfile and header type that then displays the images on the clients browser. The problem is anyone can look at the html source and see the <img src=phpscript.php?imagename=foo.jpg /> and then call the script in their browser with any argument they like http://www.hostname/phpscript.php?imagename=bar.jpg . With the base64 method I am currently using this is not possible since I do not need to have a separate script to process my images that takes a $_GET argument, instead the images are embedded directly in the html page.

Thanks for any help!

-Edit-
Sorry guys I failed to mention that there is also anonymous access allowed and certain information is public. Meaning if you are not authenticated and you can read record “a” you can also see image “a”.