Avatars : default image - php

i would like to make a simple avatar system for my users.
Usage is simple, every uploaded avatar image is named by user, for example:
<a>...$username.'.jpg';..</a>
so there is really no need for database.
When user is logged in, I just append the filetype to the already (from database) required username.
What concerns me here is the default image, which is used before user sets his own image. What is the best way to handle this? Is there a possiblity to create / copy default image to users avatar folder when user account is created?
I know that I can achieve this using database (default value) or checking if user image is set etc. but i want to keep it as simple as possible.
Thanks in advance :)

Very simple example of what the file would do. I'd suggest making it more secure of course.
$filename = $_GET["avatar"];
$path = 'path/to/your/files';
if (!file_exists($path.$filename.'.jpg'))
{
$filename = "default";
}
Header('Content-type: image/jpg');
readfile($path.$filename.'.jpg');

Check if the user's profile picture exists on the file system:
If it exists: display it.
If it doesn't: display the default image that is stored in one single place. No need to copy it.
I recommend saving the image name in the database, with its extension. People may want to upload a PNG or GIF image, rather than the classical JPG.

A simple example of what you are trying to do could be...
When a user registers in your site, he or she can upload or not an image.
Make a validation in the process to know if there is an image to be uploaded or not. Also, if there is a file in the process, validate it's extension (declare and array with the extensions you want to allow and compare with the incomming file).
If the user that is registering doesn't upload an image, in your server, create a default image for example: "users/default.jpg". So in the insert to you db, you must put in your imaginary "image_name" column: default and in your "image_ext" column: .jpg
If the user that is registering uploads an image in the process, in your server (when you validated the extension and size) create for example: "users/1.jpg" which "1" is the userid, and also in your insert to the db put in your imaginary "image_name" column: 1 and in your "image_ext" column: .jpg
To retrieve the image, just do a kind of select * from of the userid you want and just put in your html: echo "<img src='users/".$row['image_name'].$row['image_ext']."'/>"; and that's all, you are done.

Related

How to secure user's images on a server?

My web application is really simple. There are two buttons: one called "save" and the other called "show my images".
Basically, the user can save images from the Facebook API and store them in the server folder called "backup" (to back up their images on the server so if they deleted their FB or image from FB they will have backup).
When the user clicks "save", the images will be stored in two locations. The image URL will be stored in SQL database, but it will also be saved on server folder called "backup"
When they click "show images", it will retrieve the image's URL from the database and display the image. However when checkImage() is called, it will check if the image URL is valid. If it's invalid, it will retrieve the same image from the server folder "backup".
I don't want the admin to access the backup folder and be able to see all the user's images.
Before the images get saved in the backup folder on server I want to encode the user images and when they request the image it will decode and be displayed.
Is this possible?
The reason that I want to do this is because I'm worried that the FB image URL will be broken and thus the image will not show on the website.
function checkImage($url) {
if (#getimagesize($url)) {
echo "image exists ";
} else {
echo "image does not exist";
}
}
Yes it is possible and it is good thing to do
I have worked already on these kind of system, i have worked on sites similar to google drive or dropbox , and the security/ privacy for user's files comes at first and the point you are making is very much valid and reasonable.
Let me explain you what you can do to make this possible so even if admin / anyone have ftp access to the folder he / she will not be able to see the images at all.
When you save the images to your database , and you save also the link of facebook to check if it's valid or not , save also the following informations from the image to use them later on for decryption of images.
File size
Image type
Image extension
Image Original name
Image encrypted name
Image path
Image user
User path
Now let me explain you what these columns would mean to your system.
File size would be obviously the size of the image you are saving to your server in case you need the informations for insights of your server.
Image type should be the type of file which is like : image/jpeg or image/png
Image extension Should be the extension of image , which you will need to use for decrypting the image inside your system.
Image original name should be also used for system to decrypt the image to show the original image name
let say image original name + image extension will be used inside headers function for php.
Image encrypted name , this will be a random string without file extension for example :
let say you have a image named : myimage.jpeg , now what you will do is save the original file name and extension into database , then while using the move_uploaded function of php to move the file into folder of user (folder can be also unique random string for every user), then just rename the file inside upload process to something like 823982j3kkj2hjh3j2h323hj2h3jh23jh just a random string without extension inside a random string named folder which is associated to the user which even user doesn't know and save this random string name along with image 's other details and later on you will need to to identify the image and rename it to original one with extension.
Image path should be the complete path to the image folder , you need this to identify the folder where you stored the image
Image user this is obviosuly a user's id
User path this is a random string named folder where image will be stored
in this way , you will encrypt the image and it will be only visible to the user only from the system's functionality, even admins will not be able to identify the folder or files that are conncted to the users and files will be saved without extension and without original name , so only system will be able to decrypt it.
i hope i have given you an idea on how you can do it.

Access folder and select filename using PHP

I have written a code, where the user selects a profile picture and then the picture is stored in localhost/user/$username/photos/photo1.gif.
After that, I assigned the filename (photo1.gif) into a session variable so I can display it from all my php scripts. This is working just fine. I can display the picture in every php script by accessing this session variable.
The only problem I have is when I am trying to login from the login page: In the login page I connect to the database, retrieve email and password, check them and if they are OK I redirect the user to home.php. The problem is that the user's photo is not linked to the email so i cannot know the filename of the photo. The only thing I know for sure is the directory (because I can retrieve username from database as well).
Lets say that a user has uploaded 4 photos (photo1, photo2, photo3, photo4 - photo4 was uploaded last). It makes sense that he is currently using photo4 as my profile picture.
Is there a way for me to access that folder and retrieve the filename of the picture uploaded last?
Also, as a general question, what is better, store the photos(or files) in a database or server?
A few options:
It would be 'better' to create a photo table and store the user_id and the photo location in that table. Storing the actual photo in the table as a blob is not generally recommended.
Alternatively, to avoid more tables, you could rename the photos as
username_photo1.jpg
username_photo2.jpg
username_photo3.jpg
And then you can retrieve the largest of them.
Finally, another option is to get the file creation date of the photos in the directory and take the most recent photo.
see Getting the filenames of all files in a folder

Image delete security vulnerabilities

I have developed a script to upload & delete images. The images will be saved to a directory like webroot/images. The file names relating to each users upload will be saved in the database when a publish button is clicked. Until then the images will be uploaded in order so that I can show a preview. All seems to work fine except a security vulnerability that allows users to delete other users images. Eg: Any user can copy the file name of an image & inject it to the delete script. Is there any mechanism to prevent this issue.
Hope this explanation isn't boring, its a little hard to explain.
In the database table that stores the image filenames, add a field for the user_id that owns the image.
When the delete action is invoked, lookup in the table to see if the current logged in user is associated with the image that they are trying to delete. If the user_id in the table doesn't match the logged in user then do not allow the delete.
You have to change the file name of image before uploading. Timestamp is best in this case. For security concern, while deleting image you have to check the file is owned by current user or not.

Match up database record with image from upload folder

I have a database with users information such as name, email etc in. When they sign up they must upload a picture. At present when they do. the image goes into a 'uploads' folder on the server.
My question is, how do i go about aligning up the database record with the corosponding image in the folder?
You should store the file name / url (make it unique, md5 the users ID or something) in the DB as a reference, this is the best way to handle this type of photo + user relationship.
And as normal, just save the actual file in /uploads/
Simply create a column in your DB called user_photo and save the link to the file /uploads/john_smith_321sf.jpg
That way in the future, you just retrieve it using your database data.
You can name the image with something that is unique in the database. For example if 'John ' whose user id is 157 uploads an image, name the image 157.jpg - you can then query the folder for that id and extension.
Sorry, re-read the comments.
I'm assuming then that your upload file is out of the document route, is that correct? Will this help:
header('Content-Type: image/x-png'); //or jpg....
readfile('displayfile.png');
die();

(php) - helping writing a script for uploading images

I am trying to upload an image to a directory on a server. i'm using the tutorial found at http://www.reconn.us/content/view/30/51/.
First, is that a good method for uploading images using PHP?
Second, I'm also going to store the info in a MySQL database. What is a good way to deal with images that have the same name that the user uploads? For example, if a user uploads a file 'test.png' 2x in a row, what should happen to the second filename? From the script above, both will get a unique filename, but how would I as the user access that image again? I couldn't just query because the only name I know was the duplicate name I gave it, and I definitely don't know the unique name the server gave it using the upload time...
Third, what is a good max file size for images?
You can report the unique URL back to the user after the upload so that the user will know where to find the image. So, the first test.png could be http://www.example.com/images/fjdklagjsdl.jpg and the second could be http://www.example.com/images/jklfsdlkj.jpg
You can also provide some kind of interface for users to view images they've uploaded. If you display a thumbnail of the uploaded image next to the image's unique filename, it will be easy for the user to identify which image is which.
This is the method I use:
Users upload images
Server saves the image with a unique (GUID or something) filename and stores - both - the unique generated filename and the original uploaded filename in a database
Images are linked to using either the original_filename, unique_filename or primary_key for the images table.
The images are taken from the server, and served using the original filename stored in the database. This way you avoid chances of conflicting filenames and you preserve the image's original filename. In addition, this allows you to build a search on the original_filename column for the user to use.
With this method, unique filenames never have to be exposed to the user, instead they're used to locate the image associated with a specific id or original_filename in the 'images` table.
Of course, if you don't care about giving the original filename to the image when it's displayed, you can just generate a unique filename whenever you want to store it.

Categories