Jump to content

Where to save Files?


doubledee

Recommended Posts

I like to make a directory inside my "images" folder for each person who registers using the username.  Same for files.  Then if a user is removed or a question arises about an image or file, it is easily found.  This also helps avoid duplicate names.

 

That would be insane if you have 20,000-30,000 Users?!

 

Um, what I was getting at was this...

 

From a security standpoint, do I store the Images in the Web Root/Document Root?

 

And does it hurt if my website files are also stored in the Web Root/Document Root?

 

My Database Config file will be outside of the Web Root.

 

 

Debbie

 

Link to comment
Share on other sites

1. As to file location, fairly certain most sites do NOT place the images above the root.

 

2. As to the images themselves, I read an article not long ago about 'sanitizing' images by using GD to convert the image to a BMP then back to original format. Resizing and renaming were also mentioned.

 

Like legal advice, you may ask 1,000 experts on how to do something and you will likely get 1,000 methods. There comes a point where commonsense and practicality must take over.

 

Link to comment
Share on other sites

1. As to file location, fairly certain most sites do NOT place the images above the root.

 

But does it hurt storing User images in a temp folder located in my Web Root??

 

 

2. As to the images themselves, I read an article not long ago about 'sanitizing' images by using GD to convert the image to a BMP then back to original format. Resizing and renaming were also mentioned.

 

Can you recommend any tutorial or working examples?

 

I have no clue where to begin on this task...  :-[

 

 

Like legal advice, you may ask 1,000 experts on how to do something and you will likely get 1,000 methods. There comes a point where commonsense and practicality must take over.

 

Well, since I am a newbie, I don't have much to go off of, and I am concerned about screwing this up and jeopardizing my website's security?!

 

 

Debbie

Link to comment
Share on other sites

That would be insane if you have 20,000-30,000 Users?!

 

While one directory per user may be a bit excessive, it can be beneficial to break up the images over multiple directories.  I recall reading somewhere that some filesystems do not handle directories with thousands of files very well, and as a rule of thumb it was suggested to try and keep the number of files per directory 1500 or less.  Regardless of how the filesystem may handle it though, it's nice to keep the number per directory down anyway just incase you need to browse that directory for some reason in the future.  One old system I worked on stored all uploads in a single folder which ended up having 20000+ files in it.  Occasionally someone would open that folder, either accidentally or intentionally to get a file, and it would take 10+ minutes for it to load all the files. 

 

What I will do if I am expecting a lot of files is pre-pend the filename with a random number (or a db record ID number if applicable), then save it in sub directories based on these numbers.  For example, if I uploaded my avatar.png, the script would change the name to something such as 123avatar.png, and then save it into a location such as /images/avatars/1/123avatar.png.  It took the 1 from the file name and used it as a directory name.  This way all the files get spread out over several directories.

 

From a security standpoint, do I store the Images in the Web Root/Document Root?

 

There are two main things to consider regarding security for uploaded files

1) Ensure nobody can upload executable code.

You can guard against this in a number of ways.  Ensure there is no way for someone to upload a file name *.php (or similar script extension if available).  Make sure your server is not configured to parse other extensions for scripts.  Doing that will make it so even if someone uploaded a file with code in it (such as an image with PHP embedded in it) the server will not execute it.  With apache it is also possible to configure the server to not allow PHP at all for any file type within that directory (so even .php files, if someone managed to upload one, would not execute).

 

2) Ensure only people allowed to see the files can see them.

This generally involves storing the files below the web root and making them accessible via a proxy script which first validates user permissions.

 

In you specific case with avatar images, point #2 doesn't really apply so much.  Everyone will need to see them, so you can simple store them inside your web root somewhere, and link to them directly when you use them.  For point #1, you just need to ensure they are an image (getimagesize() can tell you that) and ensure they are stored with the correct extension (.jpeg, .png, or .gif).  Reject any non-image extension such as .php.

 

 

Link to comment
Share on other sites

With apache it is also possible to configure the server to not allow PHP at all for any file type within that directory (so even .php files, if someone managed to upload one, would not execute).

 

Yup, was going to post this. I definitely recommend doing that, for any directory in which untrusted users can upload things.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.