By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,751 Members | 1,216 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,751 IT Pros & Developers. It's quick & easy.

PHP Security Issue

100+
P: 228
Hi,
Sorry if this question has been asked before. I am doin a website that requests users to upload their photos, articles. I put those in a folder outside the root folder of my website. But the visitor can easily see the folders they r located in by viewin the src of the html. How can i sort of encypt that? What security measures should I take to protect those datas basically?

NOTE: I am a newbie n this is a project i am tryin to finish successfully.
Oct 5 '08 #1
Share this Question
Share on Google+
6 Replies


Markus
Expert 5K+
P: 6,050
If they're outside of the webroot, ie:

Expand|Select|Wrap|Line Numbers
  1. - host
  2. - safe
  3.     - user_photos
  4.     - user_articles
  5. - web_root(html)
  6.      index.php
  7.  
where safe is the location of user_photos and user_articles, it shouldn't matter whether the user can see the location of the files because they're stored somewhere where they are inaccessible to the browser.

If I am misunderstanding, please correct me.

Markus.
Oct 5 '08 #2

100+
P: 258
Hi
The problem is that if you don't allow the user to have access to an image then you can not use the image in a HTML because the user will still need access to view it.

But there is one thing I could come up with to protect images.

Put your images in a folder which users don't have access to. Then you can use PHP GD to serve the image only to a specified user.

Here is the code to serve the image by PHP GD:
imageviewer.php
Expand|Select|Wrap|Line Numbers
  1. <?PHP 
  2.     // if the image in a GIF use imagecreatefromgif 
  3.     // if the image in a PNG use imagecreatefrompng 
  4.  
  5.     $img=imagecreatefromjpeg("yourImage.jpg"); 
  6.     imagePNG($img); 
  7.     imagedestroy($img); 
  8.    ?> 
  9.  
  10.  
Then as the SRC of your image tags of your HTML code use the above PHP file like this:

Expand|Select|Wrap|Line Numbers
  1.    <img src="imageviewer.php"> 
  2.  
There are currently many websites using this method to protect their photos.
In some websites when you right click on an image and go to properties the only address you can see is a PHP file.

And don't forget that GD must be enabled on the server you are excuting your script on. Most of the servers have GD enabled by default.

Hope this helps you
Oct 5 '08 #3

Atli
Expert 5K+
P: 5,058
Hi.

And alternate way of serving images through a PHP file would be to simply set the appropriate headers and read the contents of the file into the output buffer:
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. $file = "/path/to/file.jpg";
  3. $info = getimagesize($file);
  4. header("Content-Type: ". $info['mime']);
  5. header("Content-Length: ". filesize($file));
  6. readfile($file);
  7. ?>
  8.  
This would not require the GD extension and would work regardless of the image type.
Also, this should use less memory than it's GD counterpart, as the image would not need to be loaded into memory before it is sent. (Although that would depend on the internals of the readfile function)
Oct 6 '08 #4

100+
P: 228
Thanks Guys!

that was very helpful!

U ROCK!
Oct 8 '08 #5

100+
P: 228
Hi.

And alternate way of serving images through a PHP file would be to simply set the appropriate headers and read the contents of the file into the output buffer:
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. $file = "/path/to/file.jpg";
  3. $info = getimagesize($file);
  4. header("Content-Type: ". $info['mime']);
  5. header("Content-Length: ". filesize($file));
  6. readfile($file);
  7. ?>
  8.  
This would not require the GD extension and would work regardless of the image type.
Also, this should use less memory than it's GD counterpart, as the image would not need to be loaded into memory before it is sent. (Although that would depend on the internals of the readfile function)
Dear,
Help out here plz. I actually like ur tip cos it takes less memory, but how wld i ve to it from a function? I need to call it from various files, send paramters, then store the image that i can use in img src?
Oct 16 '08 #6

Atli
Expert 5K+
P: 5,058
It's like bnashenas says. You will have to put this code into a seperate file which is called by an <img> tag's src attribute.

The code acts as an image, so it can not be called directly from your other scrips. You have to let the browser call it as an image.

Like, for example, if I did this:
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. // Create a list of available files
  3. // This could be done using a database instead.
  4. $dir = "/path/to/secure/image/location/";
  5. $files = array("image1.jpg", "image2.jpg", "image3.jpg");
  6. $errorImage = "error404.jpg";
  7.  
  8. // Find the requested file from $_GET
  9. if(isset($_GET['id']) && isset($files[$_GET['id']])) {
  10.   $file = $dir . $files[$_GET['id']];
  11. }
  12. else {
  13.   $file = $dir . $errorImage;
  14. }
  15.  
  16. // Print the image
  17. $info = getimagesize($file);
  18. header("Content-Type: ". $info['mime']);
  19. header("Content-Length: ". filesize($file));
  20. readfile($file);
  21. ?>
  22.  
And put this into a file name "imageviewer.php".

I could use this to show the images.
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. for($i = 0; $i < 4; $i++) {
  3.   echo '<img src="imageviewer.php?id='. $i .'" alt="Image #'. $i .'" />';
  4. }
  5. ?>
  6.  
The first 3 would show images 0 to 2 from the array, but the last one would show the error image.
Oct 16 '08 #7

Post your reply

Sign in to post your reply or Sign up for a free account.