tags:

views:

52

answers:

4
+4  Q: 

How do I secure private photos that a user uploads on my site?

I am using PHP/MySQL to handle the image uploading. I want all images that are uploaded to the logged in user's gallery to only be accessible by the logged in user. I do not want people to be able to guess the file name and directly link to it.

I am thinking that I can just store the images outside the webroot and access them through some PHP. However, if the user wants to later share the image with a friend via a link, how would I allow that?

Are there any other steps I need to take to make sure only the user can see their photos? I take user privacy very seriously and want to get this right.

Thanks for your help in advance!

A: 

You could use a profile(user)-based sharing system, where logged-in user A can indicate that logged-in user B is allowed to view image C, and can add/remove such permissions at will.

If linking viewing to a user account is not possible, you could have 'view passwords' on the images or on groups of images (such as a gallery); the URL to view the images would check if the user/owner is the one viewing and if not, it would demand the password.

Andrew Barber  2010-09-28 18:35:59
+6  A: 

You are correct in your original assumption. Store your files outside of the public directory and use a PHP script to check authorization and display the image.

To get around the sharing problem you can give them an area where they can say "Share this photo" and it will display a URL like

http://www.yoursite.com/image/12390123?v=XA21IW

XA21IW would be some unique hash stored in a table and they can specify a lifetime or you can code one yourself. When the page loads and v is passed in you can lookup a table to determine if it is a valid hash for that image id.

You have some options here. Every time they click "Share this photo" you can:

  1. Destroy all old hashes
  2. Add on to the stack
  3. Allow them to configure an expiration etc...

Or simply allow images to be public/private.

methodin  2010-09-28 18:40:49
+1 I was 2s away from posting something very similar.
ign  2010-09-28 18:42:21
Thanks for the quick response. That is very similar to the approach I planned on taking. I basically wanted to make sure there wasn't a more secure way and that I wasn't forgetting anything. Thanks!
sherril8  2010-09-28 20:15:44
A: 

I think there is no problem is storing the images outside the webroot and access them through some PHP. You can always access them with the php script, when ever user shares it.. even it is more secure to do so, beacuse you can always perform some security checks. before actually displaying the image.

Thanks.

Chetan sharma  2010-09-28 18:41:03
A: 

You save image to your server, place image name, data what you need and some hash in you DB .... than you set path of image to php file called images.php where you receive this hash with GET and find image by hash from you DB and with header set to image/GIF example create image. Path to image will be images.php?hash=abcdefg.

Other thinks about user permission and so... I think there are some responds with this solutions... it is quiet easy...

jatt  2010-09-28 18:42:42

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases