PHP - Question about uploading & uploaded image file

tags:

php
php4

views:

answers:

+1 Q:

PHP - Question about uploading & uploaded image file

Hello all,

I have read the following tutorial "Uploading Files To the Server Using PHP" and have several questions related to the topics.

Q1> The tutorial mentions that

"Note that PHP must have write access to $uploadDir or else the upload will fail"

For me, I only allow the user to upload the file after the user has login to the website. If we set that $uploadDir permission as 777, then everyone can have written permission to that folder. How to avoid this problems?

Also I am using WAMP as my testing bed, can I simulate the same case as a real web server?

Q2> In order to prevent Preventing direct access, the tutorial mentions:

"A better approach is to move the upload directory away from your web root. For example, the web root for this site is: /home/arman198/public_html/ to prevent direct listing i can set the upload directory to /home/arman198/upload/."

Now my problem is that how can I display the uploaded images on other website pages. Since, the upload is not accessible directly anymore? I need to display the uploaded image save personal headshot dynamically on other website page. Is it possible?

Thank you

+2 A:

For the second question, you can use a PHP script intead of direct access to the directory. Lets name it image.php. Lets assume that it can take a parameter id, like image.php?id=image_id. In that file you can get the id using superglobal array $_GET. Then you can search for images with that Id and just send it as response.

First one I'm not sure, but maybe play with .htaccess file.

Ventus 2010-07-26 21:51:49

Hello Ventus,I didn't mention my question 2> clear. I should have said the following:The other website wants to use the link to the image to display headshot. Then it seems that I cannot store the image outside WWW folder.

q0987 2010-07-27 01:47:41

I think it doesn't really matters. As I mentioned you can link to PHP script which can send the image back. The purpose of the image is not relevant. Many services works like that (Imageshack, picasa, etc)

Ventus 2010-07-27 08:10:58

And for the first question, try setting your permissions to 775. That should allow PHP to write the file to the directory without giving the general public write access.

kevinmajor1 2010-07-26 22:06:43

+1 A:

It's a common problem.

All modern computers have a temporary files directory. On Linux/Unix it's /tmp, on Windows it's usually c:\temp. The OS install will have set permissions on that directory so that anyone can write files there but only privileged users can delete files that don't belong to them. This is where PHP will want to put an uploaded file; your application then has to move it elsewhere (this is the purpose of the move_uploaded_file() function). PHP under Windows may need upload_tmp_dir actually set in the php.ini file.

Once you have an uploaded file, you can shift it whereever you like, including to where the webserver can read it to serve it. The biggest problem with that it is awfully easy to put this directory inside your codebase. Don't do that. As soon as you do anything beyond editing the files inside the directory they are served from, it will be problematic. Trust me: I've dealt with a few times this in code I've inherited. It's easy to let your webserver load files from a location outside your codebase.

The other alternative is to produce a download script. That way the file need not be servable by the webserver at all. One disadvantage is that you don't get to leverage the web server's MIME translation, but then, that lets you control which types of image files are permitted.

staticsan 2010-07-27 00:05:13

"The biggest problem with that it is awfully easy to put this directory inside your codebase." When you said codebase, I cannot follow you. Can you give me an example or tutorial where I use the similar technique you have used?Thank you

q0987 2010-07-27 01:48:58

Say your Apache DocumentRoot is `/var/www/html` and your website is in `/var/www/html/website`. Putting the directory for uploaded files in `/var/www/html/website/uploaded-images` is putting your uploads inside your codebase. In this example, I suggest putting it somewhere like `/var/www/html/uploaded-images`.

staticsan 2010-07-27 04:30:48

Hello Staticsan,Currently, I am using WAMP for prototype. Based on your suggestion,my homepage starts from C:\wamp\www\index.php.Now, it seems that I can only use C:\wamp\www\uploaded_images folder to store the uploaded files.But I don't think this follows your rules. I would like to use your method, but in this structure how?If I use C:\wamp\uploaded_images, then the uploaded image cannot be access by other dynamic web pages. The uploaded image will be MD5 so others will find it hard to know the image file name.Thank you

q0987 2010-07-27 14:57:02

The simple solution is to move your code down a directory, so it's in `c:\wamp\www\app\index.php`. Then you can put your images in `c:\wamp\www\uploaded_images`. A slightly more complex solution is to set up a virtual directory so that whilst http://localhost/app/ goes to `c:\wamp\www\app\`, http://localhost/uploaded_images reads from `c:\wamp\uploaded_images`.

staticsan 2010-07-28 01:15:23

Thank you very much for your generous helps.

q0987 2010-07-28 13:35:24

ansaurus

tags:

views:

answers:

PHP - Question about uploading & uploaded image file

related questions