Access to Uploads folder

[dreampho]

Hi. I am running a PHP uploader so customers can upload their images. It all works fine but I realised a few days ago that if I type my company name into google images it shows all the hi-res images that are being uploaded to this uploads folder.

 

I have tried restricting access but everything I do works to stop people from being able to download the files, but also stops the uploader from working.

 

Does anyone have any ideas how I can restrict access but allow of the php uploader to still work?

 

Thanks

[PFMaBiSmAd]

Is there anything special about the people you want to allow to download the images that distinguishes them from the people (search engines) that you don't want to see the links to your images, such as being logged in?

[dreampho]

In my website after the user uploads their image, the next stage displays a thumbnail which is generated and saved in that same folder.

When I restrict access the script stops working correctly, and doesn't display the images.

That is the only access that is required. Its just slightly worrying that anyone can download my clients images via google.

 

Thanks

[JKG]

when you go to the directory containing the images, it probably shows a list of all the files in that directory.

in your upload script, just add a line to create file in that dir called index.html

this means you dont have to change any server settings but google wont be able to grab your images (provided they are referenced to in a user area only) through a directory listing...

 

as to the files currently found by google, your only hope is to change file names or locations...

[dreampho]

Hi JKG. I already have an index.html file in this directory. The users do not need to be logged into upload images as its a printing business.

 

I have removed all the current files as soon as they are uploaded but this is not a long term solution.

 

[Morg.]

Basically, you want to restrict access to that folder, but you need a basis for that.

 

As long as it's plain HTTP, with no login, it is accessible to everyone.

 

I think the best solution (especially since you're talking about customers and private information) would be to add authentication / https and set your .htaccess file to restrict to only those allowed.

 

On the other hand, all your scripts should still have access to that directory, which means that you can close the directory to HTTP and even HTTPS and manage the file transfers through a PHP script (both read and write) which will handle all the access authorization.

[dreampho]

I'm sorry I don't really understand.

 

How would I close the directory to HTTP?

 

Thanks

[Morg.]

.htaccess files or httpd.conf , read up documentation from Apache --