Be aware that the crackers can and probably will at some point just spoof the referer
with a bit of JavaScript. Checking the referer will stop the casual user who doesn't
know anything, but it's not any kind of real security.
I know you said you can't do this, but I bet you can, so I'd take another look at what
other people suggested.
first symlink domain.com/cp/images/ to domain.com/public/images/ or better eachsite.com/members/images/
then protect domain.com/cp/
then search and replace the links from domain.com/cp/images/ to just /members/images/
I can't think of any possible scenario where a symlink wouldn't do the job.
The only thing I can think of is you had a $15 / month hosting account with no shell
access and and no customer support, making it hard to actually create the symlink.
Somehow I don't think that what you have, though. Still even then it takes 45 seconds
to write a script that creates the symlink.
If you symlink from each members' site it also has the enormous advantage of avoiding
all kinds of other problems you are going to have down the road if the URLs used for the
pics don't match their logical locations, ie. as part of each site.
If you can;t use a symlink to another domain or at least another directory I'm really
currious why that could possibly be. I'm also curious about what kind of POS CMS
you bought that caused all these problems.
