We are making a social site for a client (final project for classes) and he wants a photo uploading feature.
We thought about putting a link in a MySQL database to the picture with a unique ID for the picture and also a foreign key to the User ID.
But I was wondering what would be the safest method.
Should we keep the picture name or rename it?
Should we keep all pictures within the same folder, or have a separate folder for each Unique User ID?.
If we rename the picture, should we just start with the unique ID for the picture? (1 to XXXX)
Safe : any type of explointing with a malicious filename
Fastest : to have 1 folders then XXXXX folder
For uploaded images I would rename the image to the userid-imageid so an image would be named 123-5554.jpg for example, this would group them by userid while keeping them in the same folder (using sorting), and provide a unique name for each image.
If you dont rename the image, someone could easily upload a image called picture.jpg more than once.
I would change each pictures filename to something unique. Each picture should have a unique id in the table as well. Then you can set a foreign key on the picture's unique id to the user's id.
Your second question is kind of your own preference, depends on the kind of structure you would want to have. I would create a separate folder for each user, its more intuitive and a little easier to navigate if there is a lot of data.
Related
I have developed a script to upload & delete images. The images will be saved to a directory like webroot/images. The file names relating to each users upload will be saved in the database when a publish button is clicked. Until then the images will be uploaded in order so that I can show a preview. All seems to work fine except a security vulnerability that allows users to delete other users images. Eg: Any user can copy the file name of an image & inject it to the delete script. Is there any mechanism to prevent this issue.
Hope this explanation isn't boring, its a little hard to explain.
In the database table that stores the image filenames, add a field for the user_id that owns the image.
When the delete action is invoked, lookup in the table to see if the current logged in user is associated with the image that they are trying to delete. If the user_id in the table doesn't match the logged in user then do not allow the delete.
You have to change the file name of image before uploading. Timestamp is best in this case. For security concern, while deleting image you have to check the file is owned by current user or not.
I have a database with users information such as name, email etc in. When they sign up they must upload a picture. At present when they do. the image goes into a 'uploads' folder on the server.
My question is, how do i go about aligning up the database record with the corosponding image in the folder?
You should store the file name / url (make it unique, md5 the users ID or something) in the DB as a reference, this is the best way to handle this type of photo + user relationship.
And as normal, just save the actual file in /uploads/
Simply create a column in your DB called user_photo and save the link to the file /uploads/john_smith_321sf.jpg
That way in the future, you just retrieve it using your database data.
You can name the image with something that is unique in the database. For example if 'John ' whose user id is 157 uploads an image, name the image 157.jpg - you can then query the folder for that id and extension.
Sorry, re-read the comments.
I'm assuming then that your upload file is out of the document route, is that correct? Will this help:
header('Content-Type: image/x-png'); //or jpg....
readfile('displayfile.png');
die();
I am making an application in which every user has to sign in first and then he can access his home page. Now on the home page, I have given an option of uploading an image. Now if the user is uploading one image I am storing the full path of the uploaded image into a database and from there I can display the image easily by an img tag...
But what should I do when the user want to upload many images? Then how should I store their full paths in a database for the same user. Give me an idea just like Orkut or Facebook. Should I make a different table with named images and should I store images in different rows with the same username. What should I do?
I don't know the logic. What should I do? How can I upload many images and how can I store their path and what will be the wisest method and how do I display many images on one page (I can display one)?
You can make a folder, named after user name and id and put all their images there.
To display many images on one page, just add more <img> tags to the page.
This seems to be more of a design question than a PHP question. I would create a separate table to store all paths, this is more normalized.
You still need to handle the UI, but if you are doing a sort of gallery then that is fairly simple with some jQuery sideshows or something like that.
Yes, you want to use a separate table to store the image paths. You'll most likely want a record ID, the User ID, and the path to the image. You could also add a field to contain the sorting order for the images.
Having the sorting order field will allow you to page through the photos if there is more than one page of photos.
Your thinking is correct where you suggest creating a separate table with rows containing the image path and the username. The concept that you are dealing with is called cardinality. I'd recommend that you take a few minutes to read about this concept, since it is so important to database design.
In this case, you're talking about a one-to-many relationship between the user and the images.
I am trying to upload an image to a directory on a server. i'm using the tutorial found at http://www.reconn.us/content/view/30/51/.
First, is that a good method for uploading images using PHP?
Second, I'm also going to store the info in a MySQL database. What is a good way to deal with images that have the same name that the user uploads? For example, if a user uploads a file 'test.png' 2x in a row, what should happen to the second filename? From the script above, both will get a unique filename, but how would I as the user access that image again? I couldn't just query because the only name I know was the duplicate name I gave it, and I definitely don't know the unique name the server gave it using the upload time...
Third, what is a good max file size for images?
You can report the unique URL back to the user after the upload so that the user will know where to find the image. So, the first test.png could be http://www.example.com/images/fjdklagjsdl.jpg and the second could be http://www.example.com/images/jklfsdlkj.jpg
You can also provide some kind of interface for users to view images they've uploaded. If you display a thumbnail of the uploaded image next to the image's unique filename, it will be easy for the user to identify which image is which.
This is the method I use:
Users upload images
Server saves the image with a unique (GUID or something) filename and stores - both - the unique generated filename and the original uploaded filename in a database
Images are linked to using either the original_filename, unique_filename or primary_key for the images table.
The images are taken from the server, and served using the original filename stored in the database. This way you avoid chances of conflicting filenames and you preserve the image's original filename. In addition, this allows you to build a search on the original_filename column for the user to use.
With this method, unique filenames never have to be exposed to the user, instead they're used to locate the image associated with a specific id or original_filename in the 'images` table.
Of course, if you don't care about giving the original filename to the image when it's displayed, you can just generate a unique filename whenever you want to store it.
I have a form that searches a mysql db for whatever the user is after, and returns the results on the same page in a div (using ajax then php to search mysql)...
The results are ads, as cars for example, and I want each ad to have a unique image associated with it so that it displays the images next to the ads...
Storing images in BLOBS arent really a good solution I have heard...
How would I do this the best way?
Thanx
A fast way will be to store images in a folder giving unique filenames in folder or separate folders if you want to put images of different categories in separate places. After searching the available ads, read associated unique file-names and server to client.
Suppose you save images related to car ads in folder /images/cars/. User searches for Audi S6 and the result returns 5 ads.
Now we will proceed based on the naming of the image files. If you give file related to each ad unique name and put that name into record for that ad then simply get that name and create image URL as follows:
/images/cars/ + result_row('image_name')
If you are naming images based on id of ad record then use this scheme:
/images/cars/ + result_row('id')
If you mean that at first you were sending image bytes in response, then you don't need to do that. simply send the path constructed and use it in src property of img tag.
PS:- My PHP skill are not very good now!
Typically, you would want to store image records in the database as details about the image and then a file path to the actual image. Then, store the images in the regular file system.
As a side best-practice, you typically will want to store the path relative to some common root, then you can append the file root so the store of images can be moved around.
ie> store ads/cars/1005.jpg and then append a root of 'C:/myApp/images/'
Each unique ad will have a unique identifier in the database. You could create image subdirectories for a given set of images and save the images based on their unique identifier.
i.e. advertisement 506 could be stored in /img/506.jpg
Ultimately you would query the database for the advertisement and then you would assume you are loading the image with filename identifier + '.jpg'