php,image download

Question

Hi, when users upload the image i save it to the image folder in htdocs directory. so any user without logging into site can go type the url/images/"name" would get it. what is the best way to prevent this. since the browse would just request just like the user typing directly in the address bar the location of the image. I was thinking of using a script to download each image file from a directory after checking the session details. Do you think will it will a good approach if so can you suggest me a script. I don't want to use database. I think it will be slow. OR if it is the better approach let me know.

THnks

Answer 1

Yes you could have a image.php file that just adds the userid at the end and displays the image. Its not that much code actually.

An example is in the readfile() documentation. But that downloads the image, you could just skip the attachment header and use a content-type header.

You could save the image location in a database, that way its not slow.. as I do not recommend storing pure image data in a database

Answer 2

You could put it outside the htdocs/ directory, and mod_rewrite the images/ dir to image.php or something. So url/images/test.jpg would translate to image.php?path=test.jpg

image.php may look something like this:

<?php
if($loggedin) {
    header("Content-Type: image/jpeg");
    echo file_get_contents("../images/".$_GET["path"]);
}
?>

Don't forget to sanitize the input! You don't want the user to access arbitrary files.

Answer 3

If you are not using an authentication library I would use $_SESSION to track if the user is logged in, but also create a fingerprint just to make it more difficult to hijack sessions:

$_SESSION['loggedIn'] = 1;

is a bad way to do it since I can pass ?PHPSESSID=933883&loggedIn=1 and basically trick the application.

$_SESSION['userid'] = 100;
$_SESSION['fingerprint'] = jskdskjdjdk48924829dkshjdkshdjkhsdjsd;

'fingerprint' is some MD5 encrypted string with a salt, ex. username+password+"any string you want" that only you know of. You create the fingerprint on login and have a function validate the fingerprint stored in the session around critical code. This is a basic, example and you can make use of better auth modules present in many PHP frameworks like CakePHP when you get more comfortable with PHP.

Answer 4

When they are logged in, set a cookie

then in a readimg.php check for the cookie

then the input for readimg.php?i=img.png

have the readimg.php only check a specific folder for images

Answer 5

That's what I'm doing here:

http://numetrocontent.co.za/basic_movie_info.php?movieid=0412

The image you see is a low-res version of a file stored on the server, which you can't see. If you're logged in, you can click on the image to download the original file. If you're not, you can't. You can, however, set arbitrary resolutions for the rendering, but that is by choice.

Answer 6

Instead of using echo file_get_contents(...) I would recommending using fpassthru to avoid having "out of memory" errors that could occur with large files.