Follow us on Twitter!
Things are more like they are now than they have ever been before. - Dwight D. Eisenhower
Wednesday, April 16, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 25
Guests Online: 21
Members Online: 4

Registered Members: 82811
Newest Member: IsaiahBowman
Latest Articles
View Thread

HellBound Hackers | Computer General | Webmasters Lounge

Author

PHP image gallery privacy


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-07-09 17:43
Hey Guys,

Basically, I'm trying to create an image gallery to which users can upload photos, and when they login, little thumbnails of each photo are shown. At the minute, I'm trying to devise a way to protect each user's images. So, say I log in, and I right click an image and view its source URL, it might give me something like:

http://mysite.com/users/demifuror/1.jpg

So then, you could just change the username to view another user's images. The thing is, I don't want that to happen!

I'm sure there's a better way to do things, even, a better way to store images rather than in a directory accessible by regular users.

Can anyone maybe talk me through the right approach to protecting a user's privacy, or maybe link me to a tutorial describing the correct way to go about things?
Author

RE: PHP image gallery privacy

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 05-07-09 19:36
Tie sessions to IPs, tie the "pictureviewer.php" to a session.

If you don't know how to do this, ask (specific) questions about what you don't understand.

Good luck!



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: PHP image gallery privacy


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-07-09 20:10
you could also encrypt the usernames in the url, thats very insecure xD, but it would be an okay temp. fix while you get session id's setup.


Author

RE: PHP image gallery privacy


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-07-09 22:59
Okay, so using a PHP page to display a specific image based on th3 image id, and whether or not a user is allowed to view it seems fine. But the problem I was thinking about had more to do with how I'd store an image file on my server. it seems that the best way to store it is in folders, maybe in a hierachy like year/month/day/ and then have the filename encrypted, use a robots.txt file to prevent crawlers from listing the files, and using .htaccess to prevent the listing of files in a "index of" type page.

That way, a malicious user won't be able to navigate to a specific user's image directory, rather a directory that contains all images uploaded on a specific date, and when they do, I can maybe just put in a redirect to the home page or something, instead of having the server list all images in the directory. I think thats what Facebook and Bebo use anyway...

Anything else spring to mind to try and improve security?
Author

RE: PHP image gallery privacy

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 05-07-09 23:07
Just disallow direct access using .htaccess.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: PHP image gallery privacy

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 08-07-09 15:10
Or you could save the image files as a unique ID plus the username md5 hashed, that should be safe enough.

Btw, if you need some code on thumbnails and such, I can give you tons of help. I am making such a website for a friend right now. Almost done.


Wisdom spared is wisdom squared.