Matthias,
The md5 approach is just added security, which is something I always use in
situations like this. All it really does is mask it, so a user can't see
what the ID is (or that it's a sequential number at all) and therefore view
images they were not intended to see. For example, if the URL for viewing
an image is as follows:
/getimage.php?image=15
A user could guess that there are 14 other images, and could retrieve them
by replacing the 15 with any other number. If you use the md5 approach, the
url becomes this:
/getimage.php?image=9bf31c7ff062936a96d3c8bd1f8f2ff3
This makes it harder for them to guess the image ID, and view images they
are not inteded to see.
Of course, this is not necessary by any means, and only applies when you're
concerned with an image being viewed unintentionally. It's VERY usefull if
you also have a public script which a user can delete an image using a
similar url as above as well. Using the first example, if my page is
/delete_image.php?image=15, a malicious user could delete EVERY image by
just replacing the number.
Sincerely,
A.J. Brown
BitNotion Technologies
aj@xxxxxxxxxxxxx
----- Original Message -----
From: "Matthias Willerich" <matthias@xxxxxxxxxxxxxxxxxx>
To: "A.J. Brown" <aj@xxxxxxxxxxxxx>
Cc: <php-db@xxxxxxxxxxxxx>
Sent: Wednesday, September 28, 2005 2:23 AM
Subject: RE: Upload images with minimun effort from final user
A.J. Brown:
<snip>
A better solution is to rename the image to the unique ID of the news
article it's associated with (assuming there is only one image allowed per
article). This helps eliminate the chances of overwriting an existing
image
without bothering the user with error messages. When I do this, I usually
use the md5sum of the unique ID instead of the actual number. For
example:
$image_name = md5($article_id) . ".jpg";
</snip>
is there a reason for this md5 approach? As you don't add any information,
the news id is probably in the querystring anyway, how does it improve
anything?
I'm in the middle of writing an article about piecing together an
imagebank
prototype, and I've found so far that most people would like to add extra
information, and store the image not connected to news or any listed
articles. Like this, they can be reused, without uploading them again. A
good filename approach is something still to do. Does it really matter, if
the filename is something identifiable? Is it not even nicer if it was
'image_title_'.$id.'.jpg'? more readable than a checksum?
Cheers,
Matthias
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
