doubledee Posted February 12, 2012 Share Posted February 12, 2012 If I allow Users to uploads their photographs to my website - to be displayed as avatars - then WHERE should I store the images? And what kinds of things do I need to be mindful of from a security standpoint? Thanks, Debbie Quote Link to comment https://forums.phpfreaks.com/topic/256922-where-to-save-files/ Share on other sites More sharing options...
litebearer Posted February 12, 2012 Share Posted February 12, 2012 the image in a folder named surprisingly enough - avatars. and the name in your db Quote Link to comment https://forums.phpfreaks.com/topic/256922-where-to-save-files/#findComment-1317143 Share on other sites More sharing options...
Drummin Posted February 12, 2012 Share Posted February 12, 2012 I like to make a directory inside my "images" folder for each person who registers using the username. Same for files. Then if a user is removed or a question arises about an image or file, it is easily found. This also helps avoid duplicate names. Quote Link to comment https://forums.phpfreaks.com/topic/256922-where-to-save-files/#findComment-1317144 Share on other sites More sharing options...
doubledee Posted February 12, 2012 Author Share Posted February 12, 2012 I like to make a directory inside my "images" folder for each person who registers using the username. Same for files. Then if a user is removed or a question arises about an image or file, it is easily found. This also helps avoid duplicate names. That would be insane if you have 20,000-30,000 Users?! Um, what I was getting at was this... From a security standpoint, do I store the Images in the Web Root/Document Root? And does it hurt if my website files are also stored in the Web Root/Document Root? My Database Config file will be outside of the Web Root. Debbie Quote Link to comment https://forums.phpfreaks.com/topic/256922-where-to-save-files/#findComment-1317145 Share on other sites More sharing options...
litebearer Posted February 12, 2012 Share Posted February 12, 2012 1. As to file location, fairly certain most sites do NOT place the images above the root. 2. As to the images themselves, I read an article not long ago about 'sanitizing' images by using GD to convert the image to a BMP then back to original format. Resizing and renaming were also mentioned. Like legal advice, you may ask 1,000 experts on how to do something and you will likely get 1,000 methods. There comes a point where commonsense and practicality must take over. Quote Link to comment https://forums.phpfreaks.com/topic/256922-where-to-save-files/#findComment-1317147 Share on other sites More sharing options...
doubledee Posted February 12, 2012 Author Share Posted February 12, 2012 1. As to file location, fairly certain most sites do NOT place the images above the root. But does it hurt storing User images in a temp folder located in my Web Root?? 2. As to the images themselves, I read an article not long ago about 'sanitizing' images by using GD to convert the image to a BMP then back to original format. Resizing and renaming were also mentioned. Can you recommend any tutorial or working examples? I have no clue where to begin on this task... Like legal advice, you may ask 1,000 experts on how to do something and you will likely get 1,000 methods. There comes a point where commonsense and practicality must take over. Well, since I am a newbie, I don't have much to go off of, and I am concerned about screwing this up and jeopardizing my website's security?! Debbie Quote Link to comment https://forums.phpfreaks.com/topic/256922-where-to-save-files/#findComment-1317150 Share on other sites More sharing options...
litebearer Posted February 12, 2012 Share Posted February 12, 2012 1. will it hurt? No but it is IMHO overkill 2. Tutorials ... http://www.reconn.us/file_uploading.html http://www.tizag.com/phpT/fileupload.php http://forums.devnetwork.net/viewtopic.php?t=41743 EXPERIMENT EXPERIMENT EXPERIMENT - Edison didn't invent the light by NOT experimenting. Quote Link to comment https://forums.phpfreaks.com/topic/256922-where-to-save-files/#findComment-1317152 Share on other sites More sharing options...
litebearer Posted February 12, 2012 Share Posted February 12, 2012 Might also read these... http://advosys.ca/viewpoints/2009/04/sanitizing-php-file-uploads/ http://www.hardened-php.net/suhosin/ Quote Link to comment https://forums.phpfreaks.com/topic/256922-where-to-save-files/#findComment-1317156 Share on other sites More sharing options...
kicken Posted February 12, 2012 Share Posted February 12, 2012 That would be insane if you have 20,000-30,000 Users?! While one directory per user may be a bit excessive, it can be beneficial to break up the images over multiple directories. I recall reading somewhere that some filesystems do not handle directories with thousands of files very well, and as a rule of thumb it was suggested to try and keep the number of files per directory 1500 or less. Regardless of how the filesystem may handle it though, it's nice to keep the number per directory down anyway just incase you need to browse that directory for some reason in the future. One old system I worked on stored all uploads in a single folder which ended up having 20000+ files in it. Occasionally someone would open that folder, either accidentally or intentionally to get a file, and it would take 10+ minutes for it to load all the files. What I will do if I am expecting a lot of files is pre-pend the filename with a random number (or a db record ID number if applicable), then save it in sub directories based on these numbers. For example, if I uploaded my avatar.png, the script would change the name to something such as 123avatar.png, and then save it into a location such as /images/avatars/1/123avatar.png. It took the 1 from the file name and used it as a directory name. This way all the files get spread out over several directories. From a security standpoint, do I store the Images in the Web Root/Document Root? There are two main things to consider regarding security for uploaded files 1) Ensure nobody can upload executable code. You can guard against this in a number of ways. Ensure there is no way for someone to upload a file name *.php (or similar script extension if available). Make sure your server is not configured to parse other extensions for scripts. Doing that will make it so even if someone uploaded a file with code in it (such as an image with PHP embedded in it) the server will not execute it. With apache it is also possible to configure the server to not allow PHP at all for any file type within that directory (so even .php files, if someone managed to upload one, would not execute). 2) Ensure only people allowed to see the files can see them. This generally involves storing the files below the web root and making them accessible via a proxy script which first validates user permissions. In you specific case with avatar images, point #2 doesn't really apply so much. Everyone will need to see them, so you can simple store them inside your web root somewhere, and link to them directly when you use them. For point #1, you just need to ensure they are an image (getimagesize() can tell you that) and ensure they are stored with the correct extension (.jpeg, .png, or .gif). Reject any non-image extension such as .php. Quote Link to comment https://forums.phpfreaks.com/topic/256922-where-to-save-files/#findComment-1317165 Share on other sites More sharing options...
scootstah Posted February 12, 2012 Share Posted February 12, 2012 With apache it is also possible to configure the server to not allow PHP at all for any file type within that directory (so even .php files, if someone managed to upload one, would not execute). Yup, was going to post this. I definitely recommend doing that, for any directory in which untrusted users can upload things. Quote Link to comment https://forums.phpfreaks.com/topic/256922-where-to-save-files/#findComment-1317208 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.