Re: [PHP-DB] Storing Images #2
-- I have my photos in /public_html/img/gid directory and with this path: img src='http://www.mydomain.com/img/{$gid}/{$photoFileName}' in getImage.php the server displays the photos. Now if I put my photos outside of the public_html like this: /hidden_images/img/gid what would be the correct path to the photos in the getImage.php script? Do you mean what url? You'll need a script to pull them from outside the document root. The advantage of this is you can do authentication checks before displaying the image. The disadvantage is the web-server isn't serving the images directly so there will be a slow down. So you point your images to getimage.php?image=123456 .. thank you for your useful comment, but I mean what url should I use for img src instead of img src='http://www.mydomain.com/img/{$gid}/{$photoFileName}' in the getImage.php script? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Storing Images #2
On 5 February 2010 09:08, elk dolk elkd...@yahoo.com wrote: -- I have my photos in /public_html/img/gid directory and with this path: img src='http://www.mydomain.com/img/{$gid}/{$photoFileName}' in getImage.php the server displays the photos. Now if I put my photos outside of the public_html like this: /hidden_images/img/gid what would be the correct path to the photos in the getImage.php script? Do you mean what url? You'll need a script to pull them from outside the document root. The advantage of this is you can do authentication checks before displaying the image. The disadvantage is the web-server isn't serving the images directly so there will be a slow down. So you point your images to getimage.php?image=123456 .. thank you for your useful comment, but I mean what url should I use for img src instead of img src='http://www.mydomain.com/img/{$gid}/{$photoFileName}' in the getImage.php script? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The whole point of putting the images _OUTSIDE_ of the web root is to completely remove the possibility of having all your images downloaded without any checks of who is doing it. If I can enter the URL of the image directly, why would I pay you for it (for example). So, producing a symlink/alias of the images folder so that it DOES exist within docroot is completely redundant. Something like this is what I would expect your getImage.php script to be. ?php // Session processing - validate session - force login page or just home page if not valid. // Where are the images? define('IMAGES_LOCATION', '/some/absolute/path/to/the/images/'); // Validate the image ID requested - must be +ve integer. if (!is_numeric($_GET['imgID']) || intval($_GET['imgID']) = 0) { // force login or just home page as the request is invalid. exit; } // Force the Image ID to an integer. $imgID = intval($_GET['imgID']); // At this stage, you need to convert the id from a number to the file name. // I assume you have a DB of these. $imgName = some_technique_to_get_the_name($imgID); // Make sure the image exists. if (!file_exists(IMAGES_LOCATION . $imgName)) { // Report a missing image. exit(); } // Read image's type. $imgData = getimagesize(IMAGES_LOCATION . $imgName); // Send appropriate image header. header(Content-type: {$imgData['mime']}); // Send the image. readfile(IMAGES_LOCATION . $imgName); // Done. exit(); ? -- - Richard Quadling Standing on the shoulders of some very clever giants! EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Storing Images #2
On 3 February 2010 16:07, wrote: I currently have all my images referenced by url in my database and stored in a folder/s and I think I will keep it that way... .. If you put the images OUTSIDE of the webroot/docroot/public_html folder (whatever you have), then a user cannot directly navigate to the file. e.g. /home/sites/your_site/public_html/images/image1.jpg http://www.yoursite.com/images/image1.jpg would probably work. But ... /home/sites/your_site/public_html/getImage.php /home/sites/your_site/hidden_images/image1.jpg Now, there is no way I can load image1.jpg from my browser. I have to use getImage.php, which I assume would require me to login or authenticate myself in some way. -- I have my photos in /public_html/img/gid directory and with this path: img src='http://www.mydomain.com/img/{$gid}/{$photoFileName}' in getImage.php the server displays the photos. Now if I put my photos outside of the public_html like this: /hidden_images/img/gid what would be the correct path to the photos in the getImage.php script? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Storing Images #2
If its outside the html root you would need to create a symlink pointing to the appropriate folder % ln -s /path/to/hidden /path/to/public *however this is very insecure Then if your wise you could create a simple image serving script to prevent direct navigation by checking the referring page request vs. an array of allowed script names, the folder and filename being requested etc. Kind of like an intermediary to ensure your (*assumed world readable and writable) images directory is somewhat unusable except by your scripts. If you did it in this manner you could simply call the image as you would regularly.. img src=image/image.jpg Of course this is all theoretical as I have never done this before but if you also block your upload script (*an assumption based on the question) you could limit it using apache hosts_allow and hosts_deny directives. Or you could use your upload script to copy the files to the server, then once the application publishes the site you could use it to copy the image files from the writable directory (above the web root) into the public images directory. The best method would require the following: 1. a sub domain with limited access using apaches hosts_allow and hosts_deny directives 2. a world read/writable folder located outside of the web root 3. script prevention by checking referring scripts as well as perhaps an internal allowed ip range directive 4. a command line, crontab entry to move image files from the world read/writable folder into the public/images folder You should look into linux folder and file permissions vs. the user and group that is running as your web server. Just a few suggestions. Keep in mind that the only real way to keep your stuff secure is to cut the cord. elk dolk wrote: On 3 February 2010 16:07, wrote: I currently have all my images referenced by url in my database and stored in a folder/s and I think I will keep it that way... .. If you put the images OUTSIDE of the webroot/docroot/public_html folder (whatever you have), then a user cannot directly navigate to the file. e.g. /home/sites/your_site/public_html/images/image1.jpg http://www.yoursite.com/images/image1.jpg would probably work. But ... /home/sites/your_site/public_html/getImage.php /home/sites/your_site/hidden_images/image1.jpg Now, there is no way I can load image1.jpg from my browser. I have to use getImage.php, which I assume would require me to login or authenticate myself in some way. -- I have my photos in /public_html/img/gid directory and with this path: img src='http://www.mydomain.com/img/{$gid}/{$photoFileName}' in getImage.php the server displays the photos. Now if I put my photos outside of the public_html like this: /hidden_images/img/gid what would be the correct path to the photos in the getImage.php script? -- Jas -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Storing Images #2
elk dolk wrote: On 3 February 2010 16:07, wrote: I currently have all my images referenced by url in my database and stored in a folder/s and I think I will keep it that way... .. If you put the images OUTSIDE of the webroot/docroot/public_html folder (whatever you have), then a user cannot directly navigate to the file. e.g. /home/sites/your_site/public_html/images/image1.jpg http://www.yoursite.com/images/image1.jpg would probably work. But ... /home/sites/your_site/public_html/getImage.php /home/sites/your_site/hidden_images/image1.jpg Now, there is no way I can load image1.jpg from my browser. I have to use getImage.php, which I assume would require me to login or authenticate myself in some way. -- I have my photos in /public_html/img/gid directory and with this path: img src='http://www.mydomain.com/img/{$gid}/{$photoFileName}' in getImage.php the server displays the photos. Now if I put my photos outside of the public_html like this: /hidden_images/img/gid what would be the correct path to the photos in the getImage.php script? Do you mean what url? You'll need a script to pull them from outside the document root. The advantage of this is you can do authentication checks before displaying the image. The disadvantage is the web-server isn't serving the images directly so there will be a slow down. So you point your images to getimage.php?image=123456 and getimage.php does your authentication checks if necessary then pulls the image back using something like http://www.php.net/fpassthru -- Postgresql php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php