Users uploading images

[Yesideez]

I'm creating a site where users can upload three pics for their profiles. In the past I've made it so they supply a link to an image stored elsewhere and the site links to it. What I'd like to do instead is have it so they store their images on the server instead.

Should they be uploaded into the database or uploaded into a folder on the server instead?

I have written a script to allow users to upload files in the past but I need to be able to check that the file is in fact a valid image (JPEG or GIF) and not a script. If anyone can post some code on how to do this or even link me to a script that does it I'd be extremely grateful.

I'm also interested to know any security precautions I should take when allowing users to upload to the server as I've heard some stories of hackers getting in and erasing all the images - what CHMOD access should the folders be set to? I'm considering having the users upload into their own folders which my scripts would create when they create their accounts.

Many thanks.

[fenway]

I don't know of any PHP examples, but I would discourage storing the images in the DB unless you have a really good reason.  It's much better to use the FS directly.  As for security, provided the files are in a non-executable directory, you should be fine -- though a serve script solves many problems as well.

[Chetan]

Simce you said three images for profile you would also have to code much for DB and so you need normal uploading to do wonders.

BTW, my question, what are the security risks if I upload images to a DB?

[fenway]

If they upload images like they're supposed to, then probably none... it's the malicious users you have to worry about, and whether or not the uploads are ever executed, things like that.

[Chetan]

But incase I only use the database to store my pics, not the uploads, is it safe?

[fenway]

Well, the storage is obviously "safe", it's just binary data... you just have to be careful how you use it.

[chico1st]

what is FS?
also im using an fopen command on my images, im assuming that is running them? which is bad
THANKS!

[fenway]

FS - file system.  fopen() is just fine... I mean executing arbitrary uploads.

[kenwvs]

Just read this and have a question on file uploads.  I have a form that people upload information on engine failures in it, and I want them to be able to add images as well.  If I understand what you are saying, I should save the images themselves to a file (example a folder called images) on the server, and then just have a name of the image on the DB itself.  I would then be able to call up these images when the file with the rest of the data is opened in a form?

Thanks,

Ken

[fenway]

That's exactly correct -- make sure to "clean" the filename, and keep the paths out the DB.