Proper method of storing private images on server?
Question
I have written a PHP script to retrieve images that are NOT under the public_html folder. The script authenticates the user has permission to view the image then displays it. The image permissions are set to "0755"
Is this a secure method to prevent other people from viewing private images? Would hashing the image file name add any security benefit? Are there any other alternative methods that could improve this script?
script of image_retrieval.php
<?php
include '../user_verification.php';
$image_request = $_GET['image_request'];
$pic = file_get_contents("/home/username/images/'.$image_request.'");
header('Content-type: image/jpeg');
echo $pic;
?>
script of display_image.php
<?php
include '../world/verification.php';
$image_request = $_GET['image_request'];
echo"<img src='http://www.domainname.com/request_image.php?userid=$userid&image_request=$image_request'>";
?>
<form id='image_requester' method='get' action='display_image.php'>
<input type="text" id="image_request" name="image_request">
<input type="hidden" value="<?echo"$userid";?>" id="userid" name="userid">
<input type="submit" value="request">
</form>
2 answers
solution1
1 ACCPTED 2015-07-08 21:50:58
Since the images are not publicly available it is good enough. The only good thing about hashed names is that they would be more unique and you could store them all under one dir, but if you really wanted that i would recommend using timestamps as that would not clash with other images ever!
Otherwise storing of the images as hashes will only prove useful if the auth layer is somehow compromised. But if that happens then it isn't long before someone can list everything in there.
From the code you have posted above it seems that all images are in one place, what i would do is store each users images separately so that even if the auth layer is somehow compromised for a person, only that persons images are at risk rather than everyone's. If needed hash them as you said or store them with such names that don't clash with each other, while storing the reference to that image in the database.
solution2
0 2015-07-08 21:55:40
In PHP, the script handles the authentication, and once got validated it will set a few response headers with an 'X-Sendfile' that tells the web server to deliver a file; the script ends and the web server takes over.
check this:
http://blog.jasny.net/articles/how-i-php-x-sendfile/
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.