Jump to content

Direct Image link a NO NO!


dennismonsewicz

Recommended Posts

i would hide the actual image name via database key or code, then send the image to the browser, not link directly to it. that way you can also ensure the user is logged on to have access.

 

another alternative: use .htaccess to control what users have access to files in particular places.

Link to comment
Share on other sites

Hmmmm, well storing the image in a DB is a no no, cause you don't want to insert binary data into the db. So how would i achieve inserting the key or code in to a db?

 

And I, sadly this is true, do not have .htaccess running cause we have an IIS server :( I KNOW I KNOW it is very sad

Link to comment
Share on other sites

when you store an image, you store the image name and that table should have a unique id primary key. your table may look like...

 

Images

id - int, primary_key, autoincrement

image_name - varchar(64)

 

so give the id of the image, you can get the name. in code, use the id to get the image, then send the image to the browser. by the time the visitor gets to this place, you have already verified that they have permission to view the image.

Link to comment
Share on other sites

whats wrong with storing binary data into the database?

 

OLE object or a BLOB

 

im doing it. and have no problems

 

yet. i hope your database doesn't ever crash or get even minimally damaged.

 

it doesn't make sense from virtually any standpoint. it's a lot more overhead in queries, a lot larger database, and much more trouble than simply storing the file on the server and referencing it. plus, if your database crashes for any reason, your stored binaries might be toast. if you store the images separately, you avoid all of these pitfalls. what are the advantages?

Link to comment
Share on other sites

Ok

 

here is my code:

 

<?php

$username = $_GET['username'];
$id    = $_GET['id'];

if(isset($username))
	{
		require "../includes/sql.php";
		$query = "UPDATE uploads SET downloaded_by = '$username'  WHERE id = '$id'";
		mysql_query($query) or die("ERROR: " . mysql_error());
	}

if(isset($username))
{	
// if id is set then get the file with the id from database

include "../includes/sql.php";

$query = "SELECT name, type, size " .
		 "FROM uploads WHERE id = '$id'";

$result = mysql_query($query) or die('Error, query failed');
list($name, $type, $size) = mysql_fetch_array($result);

header("Content-length: $size");
header("Content-type: $type");
header("Content-Disposition: attachment; filename=$name");

readfile($name);

exit;
}	


?>

 

can you send the id to the header verifying the id and username?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.