basic .htaccess example

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

above allows a blank REFERER (like me).

this does not:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

there are quite a few variations you can find, may need to play around a bit to find what is best for you.

If you can utilize the .htaccess method then great, additionally, as I said in my comment, a 100% fool proof way is to utilize base64 encoding. When you are displaying images, you can use this code to convert them to base64:

<?php
$imagedata = file_get_contents("/path/to/image.png");
$base64 = base64_encode($imagedata);
?>
<img src="data:image/jpeg;base64,<?= $base64; ?>" />

Also, if you want to get really creative, you can "RAT" the hotlink "thieves" out by displaying an alternative image using your .htaccess file... do this like so:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|png)$ http://www.mydomain.com/dontstealmystuff.png [R,L]

just make sure dontstealmystuff.png is available on the server

in image_file.php use http_referer for this.

$ref = isset($_SERVER['HTTP_REFERER'])? $_SERVER['HTTP_REFERER']: "";
if ($ref != "" && strpos($ref,'http://www.yourdomain.com/')===0)
{
   //the request for this image is coming from some other domain, so take appropriate action
}
else
{
  //do whatever logic you are currently using to show the images
}

Find a full-blown solution here: http://safalra.com/programming/php/prevent-hotlinking/

You can try checking the value of $_SERVER['HTTP_REFERER'] against a known value, but as the documentation states, that can be spoofed. It might help against the common case, though.

Image hotlinking is usually detected by referer, but it won't work when:

• user has turned off referer sending in his browser (I have this for privacy purposes)
• page is viewed via HTTPS (browser shouldn't send referer data).

You'll block your actual users from viewing images.

Consider using sessions / cookies when dealing with this problem. You'll have to pass every image via php script then.

Generally speaking the proper way to do this is in something like an .htaccess file with a command such as:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?somesite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://i.imgur.com/aNbhd.jpg [L]

However to do this in PHP it's basically the same. All you do is verify that $_SERVER['HTTP_REFERER'] starts with the URL for the page. However it's possible to spoof the HTTP_REFERER so it's not going to be 100%. However the user has to do this (an external site pretty (mostly...) much can't spoof this), so it will prevent other sites from embeding your images without placing your site in an iframe or some other hoopla.

Another way, and probably the safest though it's going to be the hardest on the server, is to use the $_SESSION variable to pass a token/flag around, then check the token.

session_start();
$_SESSION["allow_images"] = true;

Then on the PHP page that gets the image for them:

if($_SESSION["allow_images"])
{ 
     //Send some pics! 
}

However this only works if the user hasn't been to your site recently enough to not have their own session still active.