| Author |
PHP image gallery privacy |
demifuror
Member
Posts: 20
Location:
Joined: 22.06.09
Rank: HBH Guru |
|
Hey Guys,
Basically, I'm trying to create an image gallery to which users can upload photos, and when they login, little thumbnails of each photo are shown. At the minute, I'm trying to devise a way to protect each user's images. So, say I log in, and I right click an image and view its source URL, it might give me something like:
http://mysite.com/users/demifuror/1.jpg
So then, you could just change the username to view another user's images. The thing is, I don't want that to happen!
I'm sure there's a better way to do things, even, a better way to store images rather than in a directory accessible by regular users.
Can anyone maybe talk me through the right approach to protecting a user's privacy, or maybe link me to a tutorial describing the correct way to go about things? |
|
| Author |
RE: PHP image gallery privacy |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
Tie sessions to IPs, tie the "pictureviewer.php" to a session.
If you don't know how to do this, ask (specific) questions about what you don't understand.
Good luck!
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
| Author |
RE: PHP image gallery privacy |
Tak11
Member
Posts: 33
Location: Texas
Joined: 16.08.08
Rank: Uber Elite |
|
you could also encrypt the usernames in the url, thats very insecure xD, but it would be an okay temp. fix while you get session id's setup.
"If you can read this your probably not dead yet.  " - JTHM
 |
 
|
| Author |
RE: PHP image gallery privacy |
demifuror
Member
Posts: 20
Location:
Joined: 22.06.09
Rank: HBH Guru |
|
Okay, so using a PHP page to display a specific image based on th3 image id, and whether or not a user is allowed to view it seems fine. But the problem I was thinking about had more to do with how I'd store an image file on my server. it seems that the best way to store it is in folders, maybe in a hierachy like year/month/day/ and then have the filename encrypted, use a robots.txt file to prevent crawlers from listing the files, and using .htaccess to prevent the listing of files in a "index of" type page.
That way, a malicious user won't be able to navigate to a specific user's image directory, rather a directory that contains all images uploaded on a specific date, and when they do, I can maybe just put in a redirect to the home page or something, instead of having the server list all images in the directory. I think thats what Facebook and Bebo use anyway...
Anything else spring to mind to try and improve security? |
|
|
| Author |
RE: PHP image gallery privacy |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
Just disallow direct access using .htaccess.
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
|
| Author |
RE: PHP image gallery privacy |
ranma
Member
Posts: 269
Location: Behind a sphere
Joined: 27.08.05
Rank: HBH Guru |
|
Or you could save the image files as a unique ID plus the username md5 hashed, that should be safe enough.
Btw, if you need some code on thumbnails and such, I can give you tons of help. I am making such a website for a friend right now. Almost done.
Wisdom spared is wisdom squared. |
|
|
Main:
