Hi there,
I am storing images outside the webroot to keep them from being accessible
for unauthorized users to see.
Then I use a script to show the images, like this:
<img src="show.php">
Now, as there is no information on the images stored in a database yet (they
have just been uploaded via ftp), I need to find a way of passing the
information as to which image is to be displayed.
I am currently trying out this way:
1. I read the filenames for all images in the upload directory into an
array.
2. I store that array in a session variable.
$_SESSION['images'] = $this->image_array;
3. I call show.php passing an array key:
<img src="show.php?id=xy">
4. In show.php I start the session, get the image information from the
session array, check if the mime type is okay and then display the image.
Of course I still need to add user authorization...
Any opinions on how safe this method seems or how it could be made
safer/more efficient? Do you think this method could be exploited to
compromise the server in any way?
Here the listing for show.php
<?php
session_start();
$file = &$_SESSION['images'][$_GET['id']];
if(is_file($file['path'].$file['file'])) {
//determine mime type and imagetype
$tmp = getimagesize($file['path'].$file['file']);
$file['mime'] = $tmp['mime'];
//if file is of valid type -> output to browser
if(in_array($file['mime'], $_SESSION['conf']['images']['allowedtypes'])) {
header("Content-Type: ".$file['mime']);
header("Content-Disposition: filename=".$file['name']);
readfile($file['path'].$file['file']);
}
}
?>
Any comments are appreciated.
jt
--
Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko!
Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
