0

I guess I have 2 approaches to store images in a php application: either to store them in a database or to a folder with unique names. Considering that I want to minimize the database connections, how can I secure a folder that has images uploaded by the users?

So basically, each user will have a profile and will upload their photos to the website to share them with whoever they want. I plan to store them as follows: 

/root/somefolder/{userid}{uniquenumber}.jpg

If I configure the htaccess to prevent access to the current folder, will it be enough? Or should I have some other security precautions?

Cheers

Shaokan
  • 7,438
  • 15
  • 56
  • 80
  • You could make the directory web-inaccessible and use a script to check the permissions, and server the file requested if they have permission. – Jared Farrish Oct 07 '11 at 22:29
  • possible duplicate of [Storing Images in DB - Yea or Nay?](http://stackoverflow.com/questions/3748/storing-images-in-db-yea-or-nay) – Marc B Oct 07 '11 at 22:36
  • Don't put images in a database. Sure, the `BLOB` field is there, but so is the filesystem! – Bojangles Oct 07 '11 at 22:37
  • @MarcB, I am asking the security flows not the pros and cons... – Shaokan Oct 07 '11 at 23:00

3 Answers3

5

Either to store them in a database or to a folder with unique name

Databases are optimized for storing small pieces of data rather than big blobs. You'll get better performance if you let the normal OS and web server handle file delivery. Using normal files saves you from having to re-implement handling of HTTP cache headers and range requests too.

But either way, these resources need URLs, so the second part of your question is still relevant.

If I configure the htaccess to prevent access to the current folder, will it be enough?

I should think that will be enough. As long as the unique part is long (e.g., "somefolder/738b3093b898654bd3bbb9e3770e7fc0.jpg") and doesn't follow a pattern there is no way to guess it.

But unless you really need the userid in the file name, avoid it. Facebook includes the user profile ID is part of the photo file name, so when people share the photo files somewhere else it allows discovery of their Facebook profile and real name. I've seen it cause stalking and harrassment in multiple online communities. It's not the user's fault -- they have no idea they're giving away their real name or friend's real name by posting a photo somewhere.

Another consideration is that as such a system grows and it gets a massive number of files, it's an awful burden on the file system if they're in just one folder. You can prevent that easily by repeating or splitting part of the name in subfolders. E.g., "somefolder/7e/7e8b3093b898654bd3bbb9e3770e7fc0.jpg".

Boann
  • 48,794
  • 16
  • 117
  • 146
1

If you do want some additional security, you can store your files in a folder outside the web site's public path. Build a page such as http://example.com/get_photo/?id=12345 where that page verifies the user is logged in and has authority for the photo, then finds the actual filename and includes that file in the response. Remember that you will need to issue the correct MIME-type header for your image format.

user984869
  • 432
  • 2
  • 8
1

Actually, many database engines will store BLOBs of data as separate files anyway, so just store your images as files in the first place. It will make your database much smaller, easier to administer, easier to backup and easier to restore in an emergency.

user984869
  • 432
  • 2
  • 8