What is the best location on server to upload images?

Among many folders available on the server by default like "public_html", "public_ftp" or simply the root, which one is the b开发者_开发问答est to upload and store users' images safely which I can also add a link to mysql db?

If your clients upload images via http form, store it in public_html if they need access it from web.

I recommend you to save the files somewhere in "public_html" and create the following file to restrict public access:

file: upload/.htaccess

deny from all

In your php script you can send the files only to the users with access.

In my opinion, store it outside of the public htdocs folder. This is so that if someone manages to upload anything other than an image file (such as an evil PHP script), they won't be able to call it (and it won't run).

If you're public_html folder is say /path/to/website/public_html I'd store them in /path/to/website/uploaded_images

Also, make sure you that validate it so that it uses a white-list of allowed image names (such as only allowing .jpg, .gif and .png)

Edit: You also need to create a script which opens the image file and passes it through back to the user

Define safely.

If you want to display these images on a site, that will be a folder in public_html, obviously, unless you want to use a script which presents the images to the user, possibly altering the image on-the fly, changing cache headers etc. Then you may move that folder outside of docroot anywhere the script will have access to those files.

Personally I store user images, files and everything in docroot, protected by .htaccess and accessed via a script which handles user permissions, if necessary. The files reside in an /uploaded folder with subfoldering up to 2 levels deep, each 'level' storing up to 1024 dirs/files. Files are named by their ids only, without any extension, all file info is stored in database. Took me some time to implement, but thankfully this is a reusable code.

Any folder inside your document root is fine. If you want it to be secure, make sure your script accepts only allowed file typed and, as another measure, put an .htaccess file inside that folder:

<FilesMatch "*.php">
    SetHandler None
</FilesMatch>

This will ensure nothing get's executed from inside this directory.