--- I l <[EMAIL PROTECTED]> wrote: > the best security practice is to store the jpg file or any other > uploaded file in your mySql database. This way you never have > to worry about someone executing php by the url like > www.example.com/pic.jpg. To view the file, the user would type > www.example.com/veiw.php?fileID=3425433345.
That's the best? :-) While I have a great deal of confidence in my code as well, I find it odd that you trust your own PHP code more than something like Apache, which has been tested by millions of people worldwide and is very mature. I would argue that it's more likely that you'll make a mistake in view.php than it is that you will misconfigure Apache to process images as PHP. Security is all about knowing what you can trust and what you cannot. A mistrust of everything (paranoid security) is not a good solution, and when there is a choice, the one with less risk is more secure. In this case, I don't agree with your decision. I would put my trust in Apache. > I cann't really see any security problems here. There are security concerns with everything, even if they're hypothetical (e.g., even when you can't discover an exploit). Be careful not to ever get too comfortable. :-) Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming Soon http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
