Storing Images #2

On 3 February 2010 16:07, wrote:

> I currently have all my images referenced by url in my database and stored
> in a folder/s and I think I will keep it that way...

............................................................ ...

>If you put the images OUTSIDE of the webroot/docroot/public_html
folder (whatever you have), then a user cannot directly navigate to
the file.

e.g.
/home/sites/your_site/public_html/images/image1.jpg

http://www.yoursite.com/images/image1.jpg would probably work.

But ...

/home/sites/your_site/public_html/getImage.php
/home/sites/your_site/hidden_images/image1.jpg

>Now, there is no way I can load image1.jpg from my browser. I have to
use getImage.php, which I assume would require me to login or
authenticate myself in some way.
----------------------------------------------------------
I have my photos in /public_html/img/gid directory and with this path:

Now if I put my photos outside of the public_html like this:

/hidden_images/img/gid

what would be the correct path to the photos in the getImage.php script?







--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Storing Images #2

If its outside the html root you would need to create a symlink pointing
to the appropriate folder

%> ln -s /path/to/hidden /path/to/public *however this is very insecure

Then if your wise you could create a simple image serving script to
prevent direct navigation by checking the referring page request vs. an
array of allowed script names, the folder and filename being requested
etc. Kind of like an intermediary to ensure your (*assumed world
readable and writable) images directory is somewhat unusable except by
your scripts.

If you did it in this manner you could simply call the image as you
would regularly..

Of course this is all theoretical as I have never done this before but
if you also block your upload script (*an assumption based on the
question) you could limit it using apache hosts_allow and hosts_deny
directives.

Or you could use your upload script to copy the files to the server,
then once the application publishes the site you could use it to copy
the image files from the writable directory (above the web root) into
the public images directory.

The best method would require the following:
1. a sub domain with limited access using apaches hosts_allow and
hosts_deny directives
2. a world read/writable folder located outside of the web root
3. script prevention by checking referring scripts as well as perhaps an
internal allowed ip range directive
4. a command line, crontab entry to move image files from the world
read/writable folder into the public/images folder

You should look into linux folder and file permissions vs. the user and
group that is running as your web server. Just a few suggestions. Keep
in mind that the only real way to keep your stuff secure is to cut the cord.

elk dolk wrote:
> On 3 February 2010 16:07, wrote:
>
>
>> I currently have all my images referenced by url in my database and stored
>> in a folder/s and I think I will keep it that way...
>>
>
> ............................................................ ..
>
>
>> If you put the images OUTSIDE of the webroot/docroot/public_html
>>
> folder (whatever you have), then a user cannot directly navigate to
> the file.
>
> e.g.
> /home/sites/your_site/public_html/images/image1.jpg
>
> http://www.yoursite.com/images/image1.jpg would probably work.
>
> But ...
>
> /home/sites/your_site/public_html/getImage.php
> /home/sites/your_site/hidden_images/image1.jpg
>
>
>> Now, there is no way I can load image1.jpg from my browser. I have to
>>
> use getImage.php, which I assume would require me to login or
> authenticate myself in some way.
> ----------------------------------------------------------
> I have my photos in /public_html/img/gid directory and with this path:
> >
> Now if I put my photos outside of the public_html like this:
>
> /hidden_images/img/gid
>
> what would be the correct path to the photos in the getImage.php script?
>
>
>
>
>
>
>
>


--
Jas


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Storing Images #2

elk dolk wrote:
> On 3 February 2010 16:07, wrote:
>
>> I currently have all my images referenced by url in my database and stored
>> in a folder/s and I think I will keep it that way...
>
> ............................................................ ..
>
>> If you put the images OUTSIDE of the webroot/docroot/public_html
> folder (whatever you have), then a user cannot directly navigate to
> the file.
>
> e.g.
> /home/sites/your_site/public_html/images/image1.jpg
>
> http://www.yoursite.com/images/image1.jpg would probably work.
>
> But ...
>
> /home/sites/your_site/public_html/getImage.php
> /home/sites/your_site/hidden_images/image1.jpg
>
>> Now, there is no way I can load image1.jpg from my browser. I have to
> use getImage.php, which I assume would require me to login or
> authenticate myself in some way.
> ----------------------------------------------------------
> I have my photos in /public_html/img/gid directory and with this path:
> >
> Now if I put my photos outside of the public_html like this:
>
> /hidden_images/img/gid
>
> what would be the correct path to the photos in the getImage.php script?

Do you mean what url? You'll need a script to pull them from outside the
document root. The advantage of this is you can do authentication checks
before displaying the image. The disadvantage is the web-server isn't
serving the images directly so there will be a slow down.

So you point your images to

getimage.php?image=123456

and getimage.php does your authentication checks if necessary then pulls
the image back using something like http://www.php.net/fpassthru

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Storing Images #2

> ----------------------------------------------------------
> > I have my photos in /public_html/img/gid directory and
> with this path:
> > > getImage.php the server displays the photos.
> >
> > Now if I put my photos outside of the public_html like
> this:
> > /hidden_images/img/gid
> >
> > what would be the correct path to the photos in the
> getImage.php script?
>
> Do you mean what url? You'll need a script to pull them
> from outside the document root. The advantage of this is you
> can do authentication checks before displaying the image.
> The disadvantage is the web-server isn't serving the images
> directly so there will be a slow down.
>
> So you point your images to
>
> getimage.php?image=123456
>
............................................................ ...
thank you for your useful comment, but I mean what url should I use
for img src instead of




--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Storing Images #2

On 5 February 2010 09:08, elk dolk wrote:
>> ----------------------------------------------------------
>> > I have my photos in /public_html/img/gid directory and
>> with this path:
>> > >> getImage.php the server displays the photos.
>> >
>> > Now if I put my photos outside of the public_html like
>> this:
>> > /hidden_images/img/gid
>> >
>> > what would be the correct path to the photos in the
>> getImage.php script?
>>
>> Do you mean what url? You'll need a script to pull them
>> from outside the document root. The advantage of this is you
>> can do authentication checks before displaying the image.
>> The disadvantage is the web-server isn't serving the images
>> directly so there will be a slow down.
>>
>> So you point your images to
>>
>> getimage.php?image=123456
>>
> ............................................................ ..
> thank you for your useful comment, but I mean what url should I use
> for img src instead of >
>
>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


The whole point of putting the images _OUTSIDE_ of the web root is to
completely remove the possibility of having all your images downloaded
without any checks of who is doing it.

If I can enter the URL of the image directly, why would I pay you for
it (for example).

So, producing a symlink/alias of the images folder so that it DOES
exist within docroot is completely redundant.

Something like this is what I would expect your getImage.php script to be.

// Session processing - validate session - force login page or just
home page if not valid.

// Where are the images?
define('IMAGES_LOCATION', '/some/absolute/path/to/the/images/');

// Validate the image ID requested - must be +ve integer.
if (!is_numeric($_GET['imgID']) || intval($_GET['imgID']) <= 0) {
// force login or just home page as the request is invalid.
exit;
}

// Force the Image ID to an integer.
$imgID = intval($_GET['imgID']);

// At this stage, you need to convert the id from a number to the file name.
// I assume you have a DB of these.
$imgName = some_technique_to_get_the_name($imgID);

// Make sure the image exists.
if (!file_exists(IMAGES_LOCATION . $imgName)) {
// Report a missing image.
exit();
}

// Read image's type.
$imgData = getimagesize(IMAGES_LOCATION . $imgName);

// Send appropriate image header.
header("Content-type: {$imgData['mime']}");

// Send the image.
readfile(IMAGES_LOCATION . $imgName);

// Done.
exit();
?>


--
-----
Richard Quadling
"Standing on the shoulders of some very clever giants!"
EE : http://www.experts-exchange.com/M_248814.html
EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php