[英]How do I secure private photos that a user uploads on my site?
I am using PHP/MySQL to handle the image uploading. 我正在使用PHP / MySQL来处理图像上传。 I want all images that are uploaded to the logged in user's gallery to only be accessible by the logged in user. 我希望所有上传到登录用户图库的图像只能由登录用户访问。 I do not want people to be able to guess the file name and directly link to it. 我不希望人们能够猜出文件名并直接链接到它。
I am thinking that I can just store the images outside the webroot and access them through some PHP. 我想我可以将图像存储在webroot之外,并通过一些PHP访问它们。 However, if the user wants to later share the image with a friend via a link, how would I allow that? 但是,如果用户想要稍后通过链接与朋友分享图像,我该如何允许?
Are there any other steps I need to take to make sure only the user can see their photos? 我还需要采取其他措施来确保只有用户可以看到他们的照片吗? I take user privacy very seriously and want to get this right. 我非常重视用户隐私,并且想要做到这一点。
Thanks for your help in advance! 感谢您的帮助!
You are correct in your original assumption. 你原来的假设是正确的。 Store your files outside of the public directory and use a PHP script to check authorization and display the image. 将文件存储在公共目录之外,并使用PHP脚本检查授权并显示图像。
To get around the sharing problem you can give them an area where they can say "Share this photo" and it will display a URL like 为了解决共享问题,你可以给他们一个区域,他们可以说“分享这张照片”,它会显示一个像这样的网址
http://www.yoursite.com/image/12390123?v=XA21IW
XA21IW would be some unique hash stored in a table and they can specify a lifetime or you can code one yourself. XA21IW将是存储在表中的一些唯一哈希值,它们可以指定生命周期,也可以自己编写代码。 When the page loads and v is passed in you can lookup a table to determine if it is a valid hash for that image id. 当页面加载并传入v时,您可以查找表以确定它是否是该图像ID的有效哈希。
You have some options here. 你有一些选择。 Every time they click "Share this photo" you can: 每次他们点击“分享这张照片”,您都可以:
Or simply allow images to be public/private. 或者只是允许图像公开/私密。
You could use a profile(user)-based sharing system, where logged-in user A can indicate that logged-in user B is allowed to view image C, and can add/remove such permissions at will. 您可以使用基于配置文件(用户)的共享系统,其中登录的用户A可以指示允许登录的用户B查看图像C,并且可以随意添加/删除此类权限。
If linking viewing to a user account is not possible, you could have 'view passwords' on the images or on groups of images (such as a gallery); 如果无法将查看链接到用户帐户,则可以在图像或图像组(例如图库)上“查看密码”; the URL to view the images would check if the user/owner is the one viewing and if not, it would demand the password. 查看图像的URL将检查用户/所有者是否是查看者,如果不是,则需要密码。
I think there is no problem is storing the images outside the webroot and access them through some PHP. 我认为将图像存储在webroot之外并通过某些PHP访问它们没有问题。 You can always access them with the php script, when ever user shares it.. even it is more secure to do so, beacuse you can always perform some security checks. 当用户共享它时,您总是可以使用php脚本访问它们。即使这样做更安全,因为您始终可以执行一些安全检查。 before actually displaying the image. 在实际显示图像之前。
Thanks. 谢谢。
You save image to your server, place image name, data what you need and some hash in you DB .... than you set path of image to php file called images.php where you receive this hash with GET and find image by hash from you DB and with header set to image/GIF example create image. 您将图像保存到您的服务器,将图像名称,数据放在您需要的数据和一些哈希数据库....比将图像路径设置为名为images.php的php文件,其中您通过GET接收此哈希并通过哈希查找图像从您DB和标题设置为图像/ GIF示例创建图像。 Path to image will be images.php?hash=abcdefg. 图像的路径是images.php?hash = abcdefg。
Other thinks about user permission and so... I think there are some responds with this solutions... it is quiet easy... 其他人考虑用户许可等等...我认为有一些回应这个解决方案...它很安静容易...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.