I have developed a script to upload & delete images. The images will be saved to a directory like webroot/images. The file names relating to each users upload will be saved in the database when a publish button is clicked. Until then the images will be uploaded in order so that I can show a preview. All seems to work fine except a security vulnerability that allows users to delete other users images. Eg: Any user can copy the file name of an image & inject it to the delete script. Is there any mechanism to prevent this issue.
Hope this explanation isn't boring, its a little hard to explain.
In the database table that stores the image filenames, add a field for the user_id that owns the image.
When the delete action is invoked, lookup in the table to see if the current logged in user is associated with the image that they are trying to delete. If the user_id in the table doesn't match the logged in user then do not allow the delete.
You have to change the file name of image before uploading. Timestamp is best in this case. For security concern, while deleting image you have to check the file is owned by current user or not.
Related
I have written a code, where the user selects a profile picture and then the picture is stored in localhost/user/$username/photos/photo1.gif.
After that, I assigned the filename (photo1.gif) into a session variable so I can display it from all my php scripts. This is working just fine. I can display the picture in every php script by accessing this session variable.
The only problem I have is when I am trying to login from the login page: In the login page I connect to the database, retrieve email and password, check them and if they are OK I redirect the user to home.php. The problem is that the user's photo is not linked to the email so i cannot know the filename of the photo. The only thing I know for sure is the directory (because I can retrieve username from database as well).
Lets say that a user has uploaded 4 photos (photo1, photo2, photo3, photo4 - photo4 was uploaded last). It makes sense that he is currently using photo4 as my profile picture.
Is there a way for me to access that folder and retrieve the filename of the picture uploaded last?
Also, as a general question, what is better, store the photos(or files) in a database or server?
A few options:
It would be 'better' to create a photo table and store the user_id and the photo location in that table. Storing the actual photo in the table as a blob is not generally recommended.
Alternatively, to avoid more tables, you could rename the photos as
username_photo1.jpg
username_photo2.jpg
username_photo3.jpg
And then you can retrieve the largest of them.
Finally, another option is to get the file creation date of the photos in the directory and take the most recent photo.
see Getting the filenames of all files in a folder
I'm using PHP and MySQL, and don't know where to start with how to set up profile pictures.
It seems all other user data can be held in the mysql table, but I don't think I can put pictures into a mysql table. So how do profile pictures generally work?
You can put pictures in a database (using a BLOB field), but I wouldn't, due to the performance hit.
Store the images on the filesystem with PHP, and just store the ID of the picture in the database.
I think that what is usually done is set up an upload system for users to upload their images. You just have to link this image with the user by naming it with something like a user ID.
Then you just have to store a link to the uploaded picture in your database, this way you could also imagine allowing user to use remote images although this might not be a good idea.
But as said, the MySQL BLOB field allows storing pictures.
i would like to make a simple avatar system for my users.
Usage is simple, every uploaded avatar image is named by user, for example:
<a>...$username.'.jpg';..</a>
so there is really no need for database.
When user is logged in, I just append the filetype to the already (from database) required username.
What concerns me here is the default image, which is used before user sets his own image. What is the best way to handle this? Is there a possiblity to create / copy default image to users avatar folder when user account is created?
I know that I can achieve this using database (default value) or checking if user image is set etc. but i want to keep it as simple as possible.
Thanks in advance :)
Very simple example of what the file would do. I'd suggest making it more secure of course.
$filename = $_GET["avatar"];
$path = 'path/to/your/files';
if (!file_exists($path.$filename.'.jpg'))
{
$filename = "default";
}
Header('Content-type: image/jpg');
readfile($path.$filename.'.jpg');
Check if the user's profile picture exists on the file system:
If it exists: display it.
If it doesn't: display the default image that is stored in one single place. No need to copy it.
I recommend saving the image name in the database, with its extension. People may want to upload a PNG or GIF image, rather than the classical JPG.
A simple example of what you are trying to do could be...
When a user registers in your site, he or she can upload or not an image.
Make a validation in the process to know if there is an image to be uploaded or not. Also, if there is a file in the process, validate it's extension (declare and array with the extensions you want to allow and compare with the incomming file).
If the user that is registering doesn't upload an image, in your server, create a default image for example: "users/default.jpg". So in the insert to you db, you must put in your imaginary "image_name" column: default and in your "image_ext" column: .jpg
If the user that is registering uploads an image in the process, in your server (when you validated the extension and size) create for example: "users/1.jpg" which "1" is the userid, and also in your insert to the db put in your imaginary "image_name" column: 1 and in your "image_ext" column: .jpg
To retrieve the image, just do a kind of select * from of the userid you want and just put in your html: echo "<img src='users/".$row['image_name'].$row['image_ext']."'/>"; and that's all, you are done.
We are making a social site for a client (final project for classes) and he wants a photo uploading feature.
We thought about putting a link in a MySQL database to the picture with a unique ID for the picture and also a foreign key to the User ID.
But I was wondering what would be the safest method.
Should we keep the picture name or rename it?
Should we keep all pictures within the same folder, or have a separate folder for each Unique User ID?.
If we rename the picture, should we just start with the unique ID for the picture? (1 to XXXX)
Safe : any type of explointing with a malicious filename
Fastest : to have 1 folders then XXXXX folder
For uploaded images I would rename the image to the userid-imageid so an image would be named 123-5554.jpg for example, this would group them by userid while keeping them in the same folder (using sorting), and provide a unique name for each image.
If you dont rename the image, someone could easily upload a image called picture.jpg more than once.
I would change each pictures filename to something unique. Each picture should have a unique id in the table as well. Then you can set a foreign key on the picture's unique id to the user's id.
Your second question is kind of your own preference, depends on the kind of structure you would want to have. I would create a separate folder for each user, its more intuitive and a little easier to navigate if there is a lot of data.
I am trying to upload an image to a directory on a server. i'm using the tutorial found at http://www.reconn.us/content/view/30/51/.
First, is that a good method for uploading images using PHP?
Second, I'm also going to store the info in a MySQL database. What is a good way to deal with images that have the same name that the user uploads? For example, if a user uploads a file 'test.png' 2x in a row, what should happen to the second filename? From the script above, both will get a unique filename, but how would I as the user access that image again? I couldn't just query because the only name I know was the duplicate name I gave it, and I definitely don't know the unique name the server gave it using the upload time...
Third, what is a good max file size for images?
You can report the unique URL back to the user after the upload so that the user will know where to find the image. So, the first test.png could be http://www.example.com/images/fjdklagjsdl.jpg and the second could be http://www.example.com/images/jklfsdlkj.jpg
You can also provide some kind of interface for users to view images they've uploaded. If you display a thumbnail of the uploaded image next to the image's unique filename, it will be easy for the user to identify which image is which.
This is the method I use:
Users upload images
Server saves the image with a unique (GUID or something) filename and stores - both - the unique generated filename and the original uploaded filename in a database
Images are linked to using either the original_filename, unique_filename or primary_key for the images table.
The images are taken from the server, and served using the original filename stored in the database. This way you avoid chances of conflicting filenames and you preserve the image's original filename. In addition, this allows you to build a search on the original_filename column for the user to use.
With this method, unique filenames never have to be exposed to the user, instead they're used to locate the image associated with a specific id or original_filename in the 'images` table.
Of course, if you don't care about giving the original filename to the image when it's displayed, you can just generate a unique filename whenever you want to store it.