On Fri, 2008-03-28 at 10:37 -0400, Bastien Koert wrote: > [snip]> Save yourself the database trip and just stick the id AND the > hash in > > the URL and validate upon request. > > > > Cheers, > > Rob. > [/snip] > > The only reason I suggest a database look up is that in my application > there is further security checks to see if the user is allowed to view > the image. > > Both solutions are totally valid. Certainly, but without your added qualifier about checking permissions then querying the database would just be wasted cycles. Although, one would presume that if the link was presented with the key then the user is allowed to view it ;) If you're worried about other users viewing it too then just encode the user ID into the hash key. You can still validate on retrieval at the other end without hitting the database. You can even time limit access to the image via the url by adding a timestamp parameter and encoding that into the key also. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
