My question is, where should i save photos that will be uploaded from the users?
my root dir for the server is
C:/apache
here i have the folder that contains the php files C:/apache/htdocs . I was wondering where should i save the files, i heard it will be better if i saved it somewhere else than the htdocs (folder that contains the php scripts), but here is the thing. If i save it directly to C:/apache then i can't access the photos. While saving it to a new folder in C:/apache/htdocs/photos would make the photos folder visible or accesible from the php pages. Is there a way i can save them somewhere else, like, let's say one folder up from the htdocs folder?
EDIT: the .htaccess seems like a good solution. Though i'm curious about this 1 thing:
I was thinking, is it possible to have directories something like this?
--->phpfiles
|--->index.php
|--->another.php
--->photos
|--->1.jpg
|--->etc.jpg
And still somehow link those photos to my php files? Like making the server only view the phpfiles folder for links and all of that (so i can go to localhost/index.php and not localhost/phpfiles/index.php ) ?
EDIT 2: My server root is C:/apache, while my Document Root is C:/apache/htdocs. in case of any misunderstanding, sorry
I would suggest putting the uploads in a folder like you suggested with C:/apache/htdocs/photos and place a .htaccess in that file that prevents direct access to the folder. That way the folder won't be visible and they can't access the images without the file name.
Another solution would be to upload the images on a third party server.
Related
when I use the CodeIgniter to upload pic to server , pictures are stored in '/controllors/file', and i have changed the file directory's permission to 777 already.But when i try to visit the url, "https://server/file/xxx.png" ,it returns 404. The url is correct, what's wrong with server ,please? My English is poor
if you want to store a picture, then save the file in a directory that is outside the codeigniter standard paths - .htaccess could be getting in the way. I suggest you have a structure like assets/images and store the images there.
Controllers are to serve files that require some sort of business logic - so does the user have access to the image etc?
Also look at the owner of the folder - it probably should have permissions of 755
I am attempting to create a script in PHP which reads and includes all files from a directory which is above the domain name directory.
For example:
My domain name is example.com and located in /var/www/html/example.com/ and I want /var/www/html/example.com/file.php to be able to read from:
/var/www/html/videos/video1/ which contains index.html and the folders:
/var/www/html/videos/video1/images/ and /var/www/html/videos/video1/scripts/
e.g. www.example.com/file.php?dir=/var/www/html/videos/video1/index.html
If I use include (/var/www/html/videos/video1/index.html) it will only call the html file, which is done perfectly. However all the files in images folder and the scripts folders are not able to load.
I don't want to copy or call each file separately. I want to be able to only need to call index.html and then make the browser think it's in that directory and automatically read any file within there.
I know this works because Moodle uses this method (in file.php) to protect learning files by storing them in a moodledata folder which is one level above the public folder.
I've had a look but cannot make sense of it and I've searched the Internet to achieve the method I have explained above but have not had any success.
The reason I want to do this is to avoid having duplicate video files on the server for other sites that are hosted on the same server.
Many thanks in advance and for taking the time to assist.
$dir = realpath(dirname(__FILE__)."/../");
This would be the directory you are looking for. Require files relative to that.
To output a different file look at readfile which outputs straight to the buffer or perhaps use file_get_contents which can be held in a variable.
See if you can load an image in the browser directly, if you can it's probably a problem with your code, if you can't it may be a rights issue.
Among many folders available on the server by default like "public_html", "public_ftp" or simply the root, which one is the best to upload and store users' images safely which I can also add a link to mysql db?
If your clients upload images via http form, store it in public_html if they need access it from web.
I recommend you to save the files somewhere in "public_html" and create the following file to restrict public access:
file: upload/.htaccess
deny from all
In your php script you can send the files only to the users with access.
In my opinion, store it outside of the public htdocs folder. This is so that if someone manages to upload anything other than an image file (such as an evil PHP script), they won't be able to call it (and it won't run).
If you're public_html folder is say /path/to/website/public_html I'd store them in /path/to/website/uploaded_images
Also, make sure you that validate it so that it uses a white-list of allowed image names (such as only allowing .jpg, .gif and .png)
Edit:
You also need to create a script which opens the image file and passes it through back to the user
Define safely.
If you want to display these images on a site, that will be a folder in public_html, obviously, unless you want to use a script which presents the images to the user, possibly altering the image on-the fly, changing cache headers etc. Then you may move that folder outside of docroot anywhere the script will have access to those files.
Personally I store user images, files and everything in docroot, protected by .htaccess and accessed via a script which handles user permissions, if necessary. The files reside in an /uploaded folder with subfoldering up to 2 levels deep, each 'level' storing up to 1024 dirs/files. Files are named by their ids only, without any extension, all file info is stored in database. Took me some time to implement, but thankfully this is a reusable code.
Any folder inside your document root is fine. If you want it to be secure, make sure your script accepts only allowed file typed and, as another measure, put an .htaccess file inside that folder:
<FilesMatch "*.php">
SetHandler None
</FilesMatch>
This will ensure nothing get's executed from inside this directory.
I want users to be able to upload files, but I don't want them to be able to view the contents of the folder which the files are uploaded to. A PHP script should be able to browse and read the files in the hidden (for the users) folder.
Any ideas?
Upload to a folder that's not in public_html - they can then only be accessed via FTP or the server itself, not by HTTP.
Theres multiple ways of accomplishing this.
option1 : like kolink says, place the files outside of your webroot (public_html)
option2 : use a .htaccess where you deny access to the dir, if you dont want the files to be listed you can use the following in your .htaccess
Options -Indexes
You might also wanna look at the permissions for the files using chmod.
Not totally secure, but a simple solution would be to place an index.php file in the folder you don't want accessed, that redirects the user back to the homepage. This will mainly prevent easy browsing of unindexed folders.
<?php
header('Location: ../../index.html');
?>
I have read the following tutorial "Uploading Files To the Server Using PHP"
and have several questions related to the topics.
Q1> The tutorial mentions that
"Note that PHP must have write access
to $uploadDir or else the upload will
fail"
For me, I only allow the user to upload the file after the user has login to the website.
If we set that $uploadDir permission as 777, then everyone can have written permission to that folder. How to avoid this problems?
Also I am using WAMP as my testing bed, can I simulate the same case as a real web server?
Q2> In order to prevent Preventing direct access, the tutorial mentions:
"A better approach is to move the
upload directory away from your web
root. For example, the web root for
this site is:
/home/arman198/public_html/ to prevent
direct listing i can set the upload
directory to /home/arman198/upload/."
Now my problem is that how can I display the uploaded images on other website pages. Since, the upload is not accessible directly anymore? I need to display the uploaded image save personal headshot dynamically on other website page. Is it possible?
Thank you
It's a common problem.
All modern computers have a temporary files directory. On Linux/Unix it's /tmp, on Windows it's usually c:\temp. The OS install will have set permissions on that directory so that anyone can write files there but only privileged users can delete files that don't belong to them. This is where PHP will want to put an uploaded file; your application then has to move it elsewhere (this is the purpose of the move_uploaded_file() function). PHP under Windows may need upload_tmp_dir actually set in the php.ini file.
Once you have an uploaded file, you can shift it whereever you like, including to where the webserver can read it to serve it. The biggest problem with that it is awfully easy to put this directory inside your codebase. Don't do that. As soon as you do anything beyond editing the files inside the directory they are served from, it will be problematic. Trust me: I've dealt with a few times this in code I've inherited. It's easy to let your webserver load files from a location outside your codebase.
The other alternative is to produce a download script. That way the file need not be servable by the webserver at all. One disadvantage is that you don't get to leverage the web server's MIME translation, but then, that lets you control which types of image files are permitted.
For the second question, you can use a PHP script intead of direct access to the directory. Lets name it image.php. Lets assume that it can take a parameter id, like image.php?id=image_id. In that file you can get the id using superglobal array $_GET. Then you can search for images with that Id and just send it as response.
First one I'm not sure, but maybe play with .htaccess file.
And for the first question, try setting your permissions to 775. That should allow PHP to write the file to the directory without giving the general public write access.