unable to display images in my application on VM

[ajoo]

Hi all and Guru Jacques, 

 

I have just ported my application on the VM server and the application seems to be working fine except that it does not display the images. The parallel application on my localhost on windows works fine. The two are same except for some changes in the path. I have checked that the paths are correct by using small test files that echo their file names telling me exactly which all paths have been successfully traversed by the app.

 

On logging in, there is a graph which is normally displayed if there is corresponding data for the user. No matter how much I try I am unable to get that graph to print. So i simply placed an image in the folder and tried to invoke that instead but that too to no avail. 

The corresponding graph and image on the local host on windows works great. No issues there. 

 

My error.log and access.log on the VM have no errors recorded in them. They were recording errors just fine when there were a few errors while I was adjusting the path. I got the "unable to find so and so file errors which were successfully recorded. The point is that the application is not giving an errors. Not even the file not found ones. So I guess my path is correct. 

 

Here is the structure of the application with some names changed. docroot is the Document Root. aboveroot is a folder outside the root. The code for graph lies in this folder ( aboveroot/images). Since the graph did not display, I added an image here (images) for testing. That did not display either.

 

index.php required invoke.php which invokes graph.php and should display the graph provided the user data exists. 

 

---www 

          |--- docroot

                           |----- index.php

          |--- aboveroot

                             |----images

                                            |-----invoke.php

                                            |----graph.php

                                            |---- abc.jpg

                                            |----test.php

 

I then added a test.php : 

	$file = '21.jpg';
	echo '<img src = 21.jpg>';	
	echo "Found Test";

and called test.php from invoke.php instead of graph.php. While it echoed "Found Test", it did not display the image. 

 

The same code in localhost on windows displays the image with test.php and the graph with graph.php when invoked from

 

 

So I am at a loss and looking for some help. 

Thanks all !

 

 

 

[ajoo]

Errata :

 

The folder images also contains an image called 21.jpg. 

 

The command 

$file = '21.jpg';

 may be ignored since I invoked the image directly in the next line. 

 

Thanks.

Edited February 8, 2017 by ajoo

[ajoo]

Hi !

 

I suspect that this has something to do with my images lying in a folder outside the webroot. So I am going to modify my folder structure and bring the aboveroot folder inside the docroot folder and try this again. 

 

Any suggestions, explanations still welcome. 

 

Thanks.

[ajoo]

Hi !

 

Yes so my hunch was right.

 

It has something to do with the fact that files that are to be viewed by public should be in the public folder. I think Guru Jacques, requinix or mac_gyver had cautioned about this in one of my earlier posts.

 

Any comments or cautions on this still welcome. 

 

Thanks all

Edited February 8, 2017 by ajoo

[Jacques1]

The webserver will not serve files outside of the document root. That's pretty much the whole point of the document root.

 

What you can and should do (at least in production) is serve static files like images, JavaScript, CSS etc. with a separate virtual host under a separate domain. For example, if the main domain is www.yoursite.com, use static.yoursite.com for those files. This has many benefits in terms of security and performance.

[ajoo]

Thanks Guru Jacques for that input.

 

I will keep it in mind and definitely implement that soonest.

[ajoo]

Hi Guru Jacques, 

 

 

 

What you can and should do (at least in production) is serve static files like images, JavaScript, CSS etc. with a separate virtual host under a separate domain.

 

The image files that are being generated in the app are not really static since they are graphs generated using dynamic data. So what would be the best way to handle / serve such images? Would it be best to keep them in a public folder under root then? 

 

Thank you.

[ajoo]

Hi all !

 

I am pulling out this old post since there was no answer to the last thread. I really need to know, what should I do to handle some of my scripts that I feel should lie somewhere safe. Namely the script that generates the graph as mentioned in the last thread. 

 

Thanks all !

[requinix]

The separate static host has benefits for static files, so if you have a dynamic image then that host doesn't offer any particularly significant advantages over the other.

 

So do the image creation in either place. If the "static" host can generate the images then that would be a great place for it, but if not and you need the regular host's code then generate the images (using a PHP script, no doubt) on the regular host.

[ajoo]

Hi requinix !

 

Thanks for the reply !! And what could be a security risk, if any, of keeping them on the regular host and under the document root.  

 

Thanks ! 

[requinix]

It's not so much about added risk but about removing risks. A static host can be configured to not evaluate anything at all - to simply serve files exactly as they are. After all, if PHP scripts won't work then there's no risk of running malicious PHP code.

More practically, having a separate host for assets makes it easier to set up for caching or as/through a CDN, which comes with other related performance benefits.

[ajoo]

Yes I have read that !

 

However my concern is more for security threats that may arise by putting my code under the root than for the other benefits that come with a static host. 

 

Thanks loads !

[requinix]

Code is code. Doesn't matter where it lives.

[Barand]

Store outside the root and include when needed?

[ajoo]

Hi requinix and Guru Barand !

 

Thanks for the reply. 

 

 

 

Store outside the root and include when needed? 

 

If you check the #1 of this thread, I had kept the two files invoke.php and Graph.php outside the root and under aboveroot. Unfortunately the graph fails to display. invoke.php uses the following bit of code to display the graph :-

<?php echo "<img src='/graphs/Graph.php?caption=MyGRAPH&gd1=$data1&gd2=$data2&gd3=$data3' />"; ?>

As you can see there is no way I can use "include" or "require" in this scenario.

 

No jpg file is created or stored anywhere but it directly draws the graph which is actually convenient. However this creates another issue of sessions. I cannot bring this file, Graph.php, under a session because of the manner in which it is used. I tried adding 

session_start();

at the beginning of Graph.php, (which, in any case, I feel is probably wrong usage ) but that does not work since the graph fails to draw then. This means that, infact, Graph.php can be invoked and used by a user directly by passing GET data to it. Even though I don't see what harm that can cause, yet I feel that such access should be prevented if it can be ! 

 

Any comments, clarification and suggestions welcome.

 

Thanks loads to you both !

Edited November 23, 2017 by ajoo

[requinix]

Just put Graph.php on your regular site and be done with it.

[ajoo]

Hi Requinix !

 

 

 

Just put Graph.php on your regular site and be done with it.

 

    , Thanks !