Jump to content

Need advice on a secure way to let users upload a profile picture.


w1zzerd

Recommended Posts

I am working on a project, that lets users register, upload a photo and have that photo as a profile image which then other users can view.

 

I am not sure how to structure this.

 

Here is how I would imagine the process goes.

 

1-During user registration, user mkdir to create a a new directory that uses the users email address for the name of this new directory.

2-Take users to a upload image page, if users dont upload one, then use a default image.

3-User uploads image.

4-Image gets stored into the directory, and the image name is sent to mysql database.

5-Echo image in users profile by using a SELECT query.

6-using an image tag, select directory name by echoing out the users email from the db, and echo the image name from the db at appropriate areas.

 

Step 6 would kinda look like this:

//Grab user email from db and set it to a variable, do the same for image name
$user_email = $email_from_db;
$user_image = $image_from_db;

<img src="image/<?php echo=$user_email; ?>/<?php $user_image; ?> />

Not sure if this is how its done, or if this is a secure way, also I have no idea how I would let users upload an image.

 

Can anyone give me some advice?

Edited by w1zzerd
Link to comment
Share on other sites

You should not create files/folders based upon user input. That could lead to problems from malicious input. Here is one possible solution. There's no reason to create folders anyway. Just put all images into one folder and name them according to the user ID or something unique to the user that is not directly input by the user. For example, you could use the hash value of the username.

 

Then, when the user uploads their image save it named per one of the methods above. You don't even need to save the image name/path in the database. You could save a boolean to state whether the user had uploaded an image or not, but you could also determine that without a DB query by checking if an image exists for the user by the naming format.

Link to comment
Share on other sites

Thank yes I realize using id rather than email or any info that the user enter to identify them is a bad idea. 

 

when the users register I am going to write code to create a directory with their id as the directory name,

then when the user uploads a file, I will check to see if the file has dimensions using getimagesize to make sure it indeed is an image,

if the file checks out I will put the file into the users directory and change the name of the image to the users id (33.jpg or 33.gif).

 

then when calling the image I can do 

<img src="images/<?php echo $id; ?>/<?php echo $id; ?>.<?php echo $extension; ?>"/>

How does that sound? 

Link to comment
Share on other sites

If you are going to only need the directory for just 1 image I agree with @guru but in the app I am working on for a dog rescue we store up to 10 pictures, all scanned documents for the dog such as rabies/adoption contracts so creating a directory for each dog made since.  I used the unique ID of the record not user input for the directory name (5 digits)

Link to comment
Share on other sites

If you are going to only need the directory for just 1 image I agree with @guru but in the app I am working on for a dog rescue we store up to 10 pictures, all scanned documents for the dog such as rabies/adoption contracts so creating a directory for each dog made since.  I used the unique ID of the record not user input for the directory name (5 digits)

Even then you don't need separate folders. But, it at least has some reason for doing so. You can just as easily store all the uploads in a single folder with a unique name.

Link to comment
Share on other sites

  • 4 weeks later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.