I've found several answers to this question, but each case was different from mine. Before I spend hours implementing what I think will work, I'd like to get an opinion or two. Who knows, there may be an easier solution that will benefit someone else too!
I'm in the process of creating a website which provides a photo modification service. Each of my customers will be uploading their photos using a modified version of a jQuery/PHP upload script I found on Github (BlueImp's File Upload script- props BlueImp!) When each image is done uploading, a thumbnail of the image is displayed next to the image's filename.
The upload page creates a folder based on their Order #, and a thumbnail subfolder where the images are stored. For example, for Order # 12345:
/uploads/12345 <- Folder where the uploaded images will go
/uploads/12345/thumbs <- Folder where thumbnails will be served from
It's important that clients don't access other clients' photos. I moved the uploads folder outside of my website root, but then the thumbnails weren't displaying when the images finished uploading because, well, they weren't in the website root so the links weren't working.
Here's a solution I thought of:
Separate the folders. Move the main upload folder outside of the document root, but leave the thumbnail folder inside the doc root, so the thumbnails can be served up when each upload completes. When the user has finished uploading their images, delete the thumbnail folder corresponding to that Order #.
Is there a better way to do it? My concern is preventing access to photos (A client will only have to upload them once, then wait for us to finish the modifications. They will NOT have to log back in to download them.) I don't want someone to be able to access the upload folder via the address bar or anywhere else. Can I use an .htaccess file to restrict access, but still allow for linking to the thumbnail images via the upload script?
I apologize for the wordy question. I tried to be as succinct as my limited knowledge of programming would allow. Thank you in advance for your time and effort in helping with this.
two way around
Write a blank index.html on each directory, which will prohibit to access files.
Write below in .htaccess ( if not exist then create this file )
Options -Indexes
OR If you want NO ENTRY outside of the LAN
# no nasty crackers in here!
order deny,allow
deny from all
allow from 192.168.0.0/24
# this would do the same thing..
#allow from 192.168.0.0 to 192.168.0.24
Reference
One more
You want to show the thumbs to each owner customers but not to others?
knowing the Order number (is sequenziell) you can easily try some links and see some photos.
I suggest to use a .htaccess to password the upload folder and to generate a hash number for every thumb that you have to attribute to the order number.
A second solution: password with a .htaccess the upload folder and generate a thumb when you generate the order confirmation page without saving the thumb. (he has to see it only once as you mention).
have fun!
Two things that you should do are:
Disable directory indexing.
Always keep the file names random. Map them using the database. i.e file1.jpg->file_af324234324324ff . You can also store the thumbnail file information in the same table.
Related
I am creating a php script for images and videos. The image and videos is uploading and displaying fine on the webpage.
I want to secure the uploaded files, means visitors can't download the files at local system.
There is any one have knowledge how we secure files.
Please help!!!
i am pretty sure what you want is near impossible since if you want your visitor to view the image/video, the browser still need to download it before it can display to the end user.
if the browser can 'download' the data, pretty sure everyone can write small code to grab the data.
if you want to protect from linking to the data directly, you can prevent hot-link through htaccess (for apache) rule.
I have made a site with Codeigniter and users have options to upload their photos there. As the photos are personal, I think keeping them on web directory is not safe. As a result, I kept them on a root directory like /var/www/images directory. Now, how I can get the images in a webpage?
Wrong Choice dear learner. you images folder needs to be accessible by your code and to the browser to render that image by the image path. For example
This is the image directory of my project. I am using all these images in different pages of my website. Some are selected dynamically by my code.
Now in your case by putting images in www folder, you are making a path of http://images/ which is not recommended by any PHP guidelines. Your images folder should be in your project root not outside.
If you want to disable folders to be viewed, just add empty index.html file, but if you try to protect images from being viewed then your website wont be able to find them too image protection in codeigniter
The code will be as safe as you make it. Well what you are doing is fine, the web server will still have to access the images.
While ignoring the rest of your code or what yo are trying to achieve, you could try referencing the images fro your webroot or probably create a symlink.
Also, I would try to put the images in another place like AWS.
If security is a concern for you, you can try building a ImagesController that checks if image exists, if user has permissions to see it and after that render it.
Uploaded images should also have some reference row inside a table in your database that can have a column which specifies if it should be public (also try to sort them to folders depending on what it represents - user profile pics, product images, etc).
I know it's a little bit of work but this would be the way I would do it.
You can check online for examples of controllers that return an image.
Good luck on your project.
I'm trying to create a photo upload system following Adam Khourys online tutorials.
http://www.developphp.com/view.php?tid=1395 - Upload multiple files video
http://www.developphp.com/view.php?tid=1304 - User profile upload
Most of the code is like for like, but with my own variable names used instead. One major difference is instead of creating 3 different file upload fields as in the multiple upload video I created my form to allow multiple selections from just one upload field.
Below is a brief overview of the files, their location and what the page does.
create_post.php located in root directory - the page that allows for image upload
image_uploader.php located in root > includes directory - the page that contains the upload form, made as a seperate file to be included into any page that may require photo uploads.
photo_system.php located in root > parsers directory - the page that handles image upload.
When I go to the create a post page, click the link to upload image(s) all works well, I can see the form, I can even select the files I would like to try and upload but when I click the upload button nothing seems to happen, when photo_system.php should load.
I've added a line of code to photo_system.php right at the top that should bring up an alert box once the page has loaded, in an attempt to debug my issues, but I never see this unless I go directly to image_uploader.php
This has lead me to believe that maybe my relative links to files were the issue so I've tried appending $_SERVER['DOCUMENT_ROOT'] to the start of the links to ensure it can alway locate them from the root directory, currently I have it set up with a hard coded $root variable and still I can't seem to get the system to work.
Is it likey that the file structure and the way the pages interact with each other is my problem? Could anyone take a look at my code for these three files and see if they can spot anything? I've been stumped by this for a week or so now so I think its time to ask for some outside help.
I have my 3 files saved in a txt format so the code can be viewed
http://www.vwrx-project.co.uk/temp_source_code/create_post.txt
http://www.vwrx-project.co.uk/temp_source_code/image_uploader.txt
http://www.vwrx-project.co.uk/temp_source_code/photo_system.txt
It turns out that in the end I was trying to nest two tables one inside the other so this was part of my issue.
The way that I had it set up I was including the photo upload system, image_uploader.php, as a table with an action requesting the photo_system.php file which worked when I went to the image_uploader.php page directly.
I also had in my main page where the images were being uploaded a form that had been set to onsubmit = false and this was canceling out the form action of the included file.
I only found this out when I decided to try and code it straight into one file else I'd still be stuck now.
In one of my work i need to build a feature for users to upload videos. i m creating a directory if not exists for that user and storing videos into it. I did directory listing off in .htaccess file so in this case no one can access files listing directly from url.
But when anyone can play that uses video, embed code is generated and in that path is also displayed for that video. When i copy and paste that path in url , video gets downloaded. i want to prevent it from directly accessing? can anyone has a solution for the same?
https://tn123.org/mod_xsendfile/
I use this
You can store your video files not in DOCUMENT_ROOT directory and provide access through the program.
Something like this: http://test.com/watch.php?video_id=blahblablah , like Youtube
How would I save each user's 'default photo' onto a website? This same photo may be used during some of their interactions on the site(maybe in a chat session), and it may be displayed on their profile page. Will each user have their own folder? If so, how can I create such a folder. Will this folder stay on ftp? Or MySQL? Will it take any space? As of now, whatever photos are uploaded onto the server, are simply stored in a folder that reads--'uploadportrait.php'. Where can I go from this? If someone can tell me the general principles of this, then that would be great! Thank you in advance.
If it is just one photo it doesn't make much sense to create a folder for each user. If you already have a working upload routine, simply store the file path of the uploaded file inside of the user database. You don't need to duplicate the image then.