Re: Upload images with minimun effort from final user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Matthias,

The md5 approach is just added security, which is something I always use in situations like this. All it really does is mask it, so a user can't see what the ID is (or that it's a sequential number at all) and therefore view images they were not intended to see. For example, if the URL for viewing an image is as follows:

/getimage.php?image=15

A user could guess that there are 14 other images, and could retrieve them by replacing the 15 with any other number. If you use the md5 approach, the url becomes this:

/getimage.php?image=9bf31c7ff062936a96d3c8bd1f8f2ff3

This makes it harder for them to guess the image ID, and view images they are not inteded to see.

Of course, this is not necessary by any means, and only applies when you're concerned with an image being viewed unintentionally. It's VERY usefull if you also have a public script which a user can delete an image using a similar url as above as well. Using the first example, if my page is /delete_image.php?image=15, a malicious user could delete EVERY image by just replacing the number.

Sincerely,

A.J. Brown
BitNotion Technologies
aj@xxxxxxxxxxxxx

----- Original Message ----- From: "Matthias Willerich" <matthias@xxxxxxxxxxxxxxxxxx>
To: "A.J. Brown" <aj@xxxxxxxxxxxxx>
Cc: <php-db@xxxxxxxxxxxxx>
Sent: Wednesday, September 28, 2005 2:23 AM
Subject: RE: Upload images with minimun effort from final user


A.J. Brown:
<snip>
A better solution is to rename the image to the unique ID of the news
article it's associated with (assuming there is only one image allowed per
article). This helps eliminate the chances of overwriting an existing image
without bothering the user with error messages.  When I do this, I usually
use the md5sum of the unique ID instead of the actual number. For example:

$image_name = md5($article_id) . ".jpg";
</snip>

is there a reason for this md5 approach? As you don't add any information,
the news id is probably in the querystring anyway, how does it improve
anything?

I'm in the middle of writing an article about piecing together an imagebank
prototype, and I've found so far that most people would like to add extra
information, and store the image not connected to news or any listed
articles. Like this, they can be reused, without uploading them again. A
good filename approach is something still to do. Does it really matter, if
the filename is something identifiable? Is it not even nicer if it was
'image_title_'.$id.'.jpg'? more readable than a checksum?

Cheers,
Matthias





--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux