Jump to content

Archived

This topic is now archived and is closed to further replies.

Yesideez

Users uploading images

Recommended Posts

I'm creating a site where users can upload three pics for their profiles. In the past I've made it so they supply a link to an image stored elsewhere and the site links to it. What I'd like to do instead is have it so they store their images on the server instead.

Should they be uploaded into the database or uploaded into a folder on the server instead?

I have written a script to allow users to upload files in the past but I need to be able to check that the file is in fact a valid image (JPEG or GIF) and not a script. If anyone can post some code on how to do this or even link me to a script that does it I'd be extremely grateful.

I'm also interested to know any security precautions I should take when allowing users to upload to the server as I've heard some stories of hackers getting in and erasing all the images - what CHMOD access should the folders be set to? I'm considering having the users upload into their own folders which my scripts would create when they create their accounts.

Many thanks.

Share this post


Link to post
Share on other sites
I don't know of any PHP examples, but I would discourage storing the images in the DB unless you have a really good reason.  It's much better to use the FS directly.  As for security, provided the files are in a non-executable directory, you should be fine -- though a serve script solves many problems as well.

Share this post


Link to post
Share on other sites
Simce you said three images for profile you would also have to code much for DB and so you need normal uploading to do wonders.

BTW, my question, what are the security risks if I upload images to a DB?

Share this post


Link to post
Share on other sites
If they upload images like they're supposed to, then probably none... it's the malicious users you have to worry about, and whether or not the uploads are ever executed, things like that.

Share this post


Link to post
Share on other sites
But incase I only use the database to store my pics, not the uploads, is it safe?

Share this post


Link to post
Share on other sites
Well, the storage is obviously "safe", it's just binary data... you just have to be careful how you use it.

Share this post


Link to post
Share on other sites
what is FS?
also im using an fopen command on my images, im assuming that is running them? which is bad
THANKS!

Share this post


Link to post
Share on other sites
FS - file system.  fopen() is just fine... I mean executing arbitrary uploads.

Share this post


Link to post
Share on other sites
Just read this and have a question on file uploads.  I have a form that people upload information on engine failures in it, and I want them to be able to add images as well.  If I understand what you are saying, I should save the images themselves to a file (example a folder called images) on the server, and then just have a name of the image on the DB itself.  I would then be able to call up these images when the file with the rest of the data is opened in a form?

Thanks,

Ken

Share this post


Link to post
Share on other sites
That's exactly correct -- make sure to "clean" the filename, and keep the paths out the DB.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.