开发者

php image storing - security

I guess I have 2 approaches to store images in a php application: either to store them in a database or to a folder with unique names. Considering that I want to minimize the database connections, how can I secure a folder that has images uploaded by the users?

So basically, each user will have a profile and will upload their photos to the website to sha开发者_StackOverflow中文版re them with whoever they want. I plan to store them as follows:

/root/somefolder/{userid}{uniquenumber}.jpg

If I configure the htaccess to prevent access to the current folder, will it be enough? Or should I have some other security precautions?

Cheers


Either to store them in a database or to a folder with unique name

Databases are optimized for storing small pieces of data rather than big blobs. You'll get better performance if you let the normal OS and web server handle file delivery. Using normal files saves you from having to re-implement handling of HTTP cache headers and range requests too.

But either way, these resources need URLs, so the second part of your question is still relevant.

If I configure the htaccess to prevent access to the current folder, will it be enough?

I should think that will be enough. As long as the unique part is long (e.g., "somefolder/738b3093b898654bd3bbb9e3770e7fc0.jpg") and doesn't follow a pattern there is no way to guess it.

But unless you really need the userid in the file name, avoid it. Facebook includes the user profile ID is part of the photo file name, so when people share the photo files somewhere else it allows discovery of their Facebook profile and real name. I've seen it cause stalking and harrassment in multiple online communities. It's not the user's fault -- they have no idea they're giving away their real name or friend's real name by posting a photo somewhere.

Another consideration is that as such a system grows and it gets a massive number of files, it's an awful burden on the file system if they're in just one folder. You can prevent that easily by repeating or splitting part of the name in subfolders. E.g., "somefolder/7e/7e8b3093b898654bd3bbb9e3770e7fc0.jpg".


If you do want some additional security, you can store your files in a folder outside the web site's public path. Build a page such as http://example.com/get_photo/?id=12345 where that page verifies the user is logged in and has authority for the photo, then finds the actual filename and includes that file in the response. Remember that you will need to issue the correct MIME-type header for your image format.


Actually, many database engines will store BLOBs of data as separate files anyway, so just store your images as files in the first place. It will make your database much smaller, easier to administer, easier to backup and easier to restore in an emergency.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜