images upload safely !?

ajoo · August 4, 2017

Yes Benanamen that's true. Will look it up in a while for sure. I do have an idea where it lies like I mentioned, but i'll find out.

Thanks !!

ajoo · August 7, 2017

Hi !

Rather than just accept that it now works, you would do well for yourself to find out exactly why it didn't work.

there is no problem in the code in #45 except for a small oversight. In this bit of code

<?php 
				if(isset($id) && $id !== 0){
						
					echo "<img src='ups6_view_2.php?id=$id' />";	
					
				}else{

					echo "<img id='image' src='#' alt='load image' />";		// This displays the image.
				}

the file that I am jumping to should have been

ups6_view_3.php?id=$id'

and which is instead

ups6_view_2.php?id=$id'

That was causing the issue. There was an issue with the path names etc. which I guess I resolved in the earlier versions of this code.

So this is the tiny change needed to get this code going.

Thanks !

ajoo · August 7, 2017

Hi !

I have one final question on this. The code works fine but I am unable to move the script for the XSendfile, namely

ups6_view_3.php

to a folder outside the root, say scripts, because then the image goes blank. I change the path to the scripts folder before invoking ups6_view_3.php.

The access log shows:

"GET /vagrant/scripts/ups6_view_3.php?id=102 HTTP/1.1" 404 528 "http://upload_security.com/

So why is this not possible?

Thanks all !

Jacques1 · August 7, 2017

If you move the script outside of the document root, then how is any client supposed to access it? The whole point of the access script is that it's in fact publicly accessible.

ajoo · August 7, 2017

Hi Guru Jacques !

The script in question, ups6_view_3.php, is only being called to display an image, which is a part of a larger form, when the user searches for a record. The id of the user ( whose record is being searched for ) is extracted from the DB and get['id'] is used to pass it to the script to display the image which itself lies outside of the root.

My contention is that there is really no direct user interaction with that script and so if it is possible I would like to keep it outside of the root because I feel that it is the script that is directly loading the image, not the user.

I also feel that if this script is directly user accessible inside the root then maybe it could be manipulated (by passing the ID using get directly ) to directly access the images somehow, which is something I would like to avoid if possible.

Thanks loads !

Edited August 7, 2017 by ajoo

Jacques1 · August 7, 2017

Your form uses the view script as an image source, and image sources have to be public by definition. That's why you're getting a 404 error as soon as you remove the script.

Again: The whole point of the view script is to be public and give access to the images. That's the only reason why it exists. Trying to hide it makes absolutely no sense.

ajoo · August 8, 2017

Sir,

Thanks for the confirmation. If you think it's good where it is (inside root) then it's good enough for me !

Thanks loads !

Edited August 8, 2017 by ajoo

Sign In

images upload safely !?

Recommended Posts

ajoo

Link to comment

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Jacques1

ginerjm

Jacques1

ajoo

Link to comment

Share on other sites

ajoo

Link to comment

Share on other sites

Jacques1

Link to comment

Share on other sites

ajoo

Link to comment

Share on other sites

Jacques1

Link to comment

Share on other sites

ajoo

Link to comment

Share on other sites

Join the conversation

Jacques1

ginerjm

Jacques1

Browse

Activity

Important Information