Jump to content


Photo

Users uploading images


  • Please log in to reply
9 replies to this topic

#1 Yesideez

Yesideez
  • Members
  • PipPipPip
  • Advanced Member
  • 2,334 posts
  • LocationDevon, UK

Posted 14 August 2006 - 03:55 PM

I'm creating a site where users can upload three pics for their profiles. In the past I've made it so they supply a link to an image stored elsewhere and the site links to it. What I'd like to do instead is have it so they store their images on the server instead.

Should they be uploaded into the database or uploaded into a folder on the server instead?

I have written a script to allow users to upload files in the past but I need to be able to check that the file is in fact a valid image (JPEG or GIF) and not a script. If anyone can post some code on how to do this or even link me to a script that does it I'd be extremely grateful.

I'm also interested to know any security precautions I should take when allowing users to upload to the server as I've heard some stories of hackers getting in and erasing all the images - what CHMOD access should the folders be set to? I'm considering having the users upload into their own folders which my scripts would create when they create their accounts.

Many thanks.
Not a pro just an enthusiast :)

if (empty($coffee)) {$coffee=new coffee();}

Please surround any code using the CODE tags - I rarely look at anything without them

#2 fenway

fenway
  • Staff Alumni
  • MySQL Si-Fu / PHP Resident Alien
  • 16,199 posts
  • LocationToronto, ON

Posted 14 August 2006 - 04:49 PM

I don't know of any PHP examples, but I would discourage storing the images in the DB unless you have a really good reason.  It's much better to use the FS directly.  As for security, provided the files are in a non-executable directory, you should be fine -- though a serve script solves many problems as well.
Seriously... if people don't start reading this before posting, I'm going to consider not answering at all.

#3 Chetan

Chetan
  • Members
  • PipPipPip
  • Advanced Member
  • 162 posts
  • LocationIndia

Posted 14 August 2006 - 05:27 PM

Simce you said three images for profile you would also have to code much for DB and so you need normal uploading to do wonders.

BTW, my question, what are the security risks if I upload images to a DB?
I am a PHP Guru, ask me questions if you want to

#4 fenway

fenway
  • Staff Alumni
  • MySQL Si-Fu / PHP Resident Alien
  • 16,199 posts
  • LocationToronto, ON

Posted 14 August 2006 - 06:50 PM

If they upload images like they're supposed to, then probably none... it's the malicious users you have to worry about, and whether or not the uploads are ever executed, things like that.
Seriously... if people don't start reading this before posting, I'm going to consider not answering at all.

#5 Chetan

Chetan
  • Members
  • PipPipPip
  • Advanced Member
  • 162 posts
  • LocationIndia

Posted 15 August 2006 - 05:52 AM

But incase I only use the database to store my pics, not the uploads, is it safe?
I am a PHP Guru, ask me questions if you want to

#6 fenway

fenway
  • Staff Alumni
  • MySQL Si-Fu / PHP Resident Alien
  • 16,199 posts
  • LocationToronto, ON

Posted 15 August 2006 - 01:54 PM

Well, the storage is obviously "safe", it's just binary data... you just have to be careful how you use it.
Seriously... if people don't start reading this before posting, I'm going to consider not answering at all.

#7 chico1st

chico1st
  • Members
  • PipPipPip
  • Advanced Member
  • 60 posts

Posted 20 August 2006 - 05:20 AM

what is FS?
also im using an fopen command on my images, im assuming that is running them? which is bad
THANKS!

#8 fenway

fenway
  • Staff Alumni
  • MySQL Si-Fu / PHP Resident Alien
  • 16,199 posts
  • LocationToronto, ON

Posted 20 August 2006 - 05:47 PM

FS - file system.  fopen() is just fine... I mean executing arbitrary uploads.
Seriously... if people don't start reading this before posting, I'm going to consider not answering at all.

#9 kenwvs

kenwvs
  • Members
  • PipPipPip
  • Advanced Member
  • 194 posts

Posted 20 August 2006 - 09:10 PM

Just read this and have a question on file uploads.  I have a form that people upload information on engine failures in it, and I want them to be able to add images as well.  If I understand what you are saying, I should save the images themselves to a file (example a folder called images) on the server, and then just have a name of the image on the DB itself.  I would then be able to call up these images when the file with the rest of the data is opened in a form?

Thanks,

Ken

#10 fenway

fenway
  • Staff Alumni
  • MySQL Si-Fu / PHP Resident Alien
  • 16,199 posts
  • LocationToronto, ON

Posted 21 August 2006 - 05:30 PM

That's exactly correct -- make sure to "clean" the filename, and keep the paths out the DB.
Seriously... if people don't start reading this before posting, I'm going to consider not answering at all.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users