I have written a code, where the user selects a profile picture and then the picture is stored in localhost/user/$username/photos/photo1.gif.
After that, I assigned the filename (photo1.gif) into a session variable so I can display it from all my php scripts. This is working just fine. I can display the picture in every php script by accessing this session variable.
The only problem I have is when I am trying to login from the login page: In the login page I connect to the database, retrieve email and password, check them and if they are OK I redirect the user to home.php. The problem is that the user's photo is not linked to the email so i cannot know the filename of the photo. The only thing I know for sure is the directory (because I can retrieve username from database as well).
Lets say that a user has uploaded 4 photos (photo1, photo2, photo3, photo4 - photo4 was uploaded last). It makes sense that he is currently using photo4 as my profile picture.
Is there a way for me to access that folder and retrieve the filename of the picture uploaded last?
Also, as a general question, what is better, store the photos(or files) in a database or server?
A few options:
It would be 'better' to create a photo table and store the user_id and the photo location in that table. Storing the actual photo in the table as a blob is not generally recommended.
Alternatively, to avoid more tables, you could rename the photos as
username_photo1.jpg
username_photo2.jpg
username_photo3.jpg
And then you can retrieve the largest of them.
Finally, another option is to get the file creation date of the photos in the directory and take the most recent photo.
see Getting the filenames of all files in a folder
Related
I have developed a script to upload & delete images. The images will be saved to a directory like webroot/images. The file names relating to each users upload will be saved in the database when a publish button is clicked. Until then the images will be uploaded in order so that I can show a preview. All seems to work fine except a security vulnerability that allows users to delete other users images. Eg: Any user can copy the file name of an image & inject it to the delete script. Is there any mechanism to prevent this issue.
Hope this explanation isn't boring, its a little hard to explain.
In the database table that stores the image filenames, add a field for the user_id that owns the image.
When the delete action is invoked, lookup in the table to see if the current logged in user is associated with the image that they are trying to delete. If the user_id in the table doesn't match the logged in user then do not allow the delete.
You have to change the file name of image before uploading. Timestamp is best in this case. For security concern, while deleting image you have to check the file is owned by current user or not.
I'm using PHP and MySQL, and don't know where to start with how to set up profile pictures.
It seems all other user data can be held in the mysql table, but I don't think I can put pictures into a mysql table. So how do profile pictures generally work?
You can put pictures in a database (using a BLOB field), but I wouldn't, due to the performance hit.
Store the images on the filesystem with PHP, and just store the ID of the picture in the database.
I think that what is usually done is set up an upload system for users to upload their images. You just have to link this image with the user by naming it with something like a user ID.
Then you just have to store a link to the uploaded picture in your database, this way you could also imagine allowing user to use remote images although this might not be a good idea.
But as said, the MySQL BLOB field allows storing pictures.
I have a database with users information such as name, email etc in. When they sign up they must upload a picture. At present when they do. the image goes into a 'uploads' folder on the server.
My question is, how do i go about aligning up the database record with the corosponding image in the folder?
You should store the file name / url (make it unique, md5 the users ID or something) in the DB as a reference, this is the best way to handle this type of photo + user relationship.
And as normal, just save the actual file in /uploads/
Simply create a column in your DB called user_photo and save the link to the file /uploads/john_smith_321sf.jpg
That way in the future, you just retrieve it using your database data.
You can name the image with something that is unique in the database. For example if 'John ' whose user id is 157 uploads an image, name the image 157.jpg - you can then query the folder for that id and extension.
Sorry, re-read the comments.
I'm assuming then that your upload file is out of the document route, is that correct? Will this help:
header('Content-Type: image/x-png'); //or jpg....
readfile('displayfile.png');
die();
Users of the website need to able to store images in their "area" , should I store these in the database directly or create a directory for each user.
Or should I just have a single directory for all images and in the database store a list of images that each user owns?
I'm looking for the most effecient way, which I think is a folder for each user?
If you have many pictures per user like avatar and gallery of photo created by the user then use separate folders named with the user id or a hash of the user id.
If you only store avatars have one big folder where the name of the image is the user id or hash of the user id.
It depends on how many pictures there are.
If there is only one picture per user, then perhaps all in the same directory.
However if you have albums and such, there can be millions of photos with all the users photos in the same folder. This would be very slow to search in. Then I'd go with one folder per user.
Also, never give direct access to the folders. Use your database to link to the files.
Better use folder or a cache folder. You can also use resizing functions for the image, so if user upload a large scale picture. Your script will manage to create different sizes, like avatar pics. And cache those images. So thumbnail or avatar viewers only viewing the cache image of the original image. And the large image is usable for future work, like a bigger preview of the avatar.
I am trying to upload an image to a directory on a server. i'm using the tutorial found at http://www.reconn.us/content/view/30/51/.
First, is that a good method for uploading images using PHP?
Second, I'm also going to store the info in a MySQL database. What is a good way to deal with images that have the same name that the user uploads? For example, if a user uploads a file 'test.png' 2x in a row, what should happen to the second filename? From the script above, both will get a unique filename, but how would I as the user access that image again? I couldn't just query because the only name I know was the duplicate name I gave it, and I definitely don't know the unique name the server gave it using the upload time...
Third, what is a good max file size for images?
You can report the unique URL back to the user after the upload so that the user will know where to find the image. So, the first test.png could be http://www.example.com/images/fjdklagjsdl.jpg and the second could be http://www.example.com/images/jklfsdlkj.jpg
You can also provide some kind of interface for users to view images they've uploaded. If you display a thumbnail of the uploaded image next to the image's unique filename, it will be easy for the user to identify which image is which.
This is the method I use:
Users upload images
Server saves the image with a unique (GUID or something) filename and stores - both - the unique generated filename and the original uploaded filename in a database
Images are linked to using either the original_filename, unique_filename or primary_key for the images table.
The images are taken from the server, and served using the original filename stored in the database. This way you avoid chances of conflicting filenames and you preserve the image's original filename. In addition, this allows you to build a search on the original_filename column for the user to use.
With this method, unique filenames never have to be exposed to the user, instead they're used to locate the image associated with a specific id or original_filename in the 'images` table.
Of course, if you don't care about giving the original filename to the image when it's displayed, you can just generate a unique filename whenever you want to store it.