If its outside the html root you would need to create a symlink pointing
to the appropriate folder
%> ln -s /path/to/hidden /path/to/public *however this is very insecure
Then if your wise you could create a simple image serving script to
prevent direct navigation by checking the referring page request vs. an
array of allowed script names, the folder and filename being requested
etc. Kind of like an intermediary to ensure your (*assumed world
readable and writable) images directory is somewhat unusable except by
your scripts.
If you did it in this manner you could simply call the image as you
would regularly.. <img src=image/image.jpg>
Of course this is all theoretical as I have never done this before but
if you also block your upload script (*an assumption based on the
question) you could limit it using apache hosts_allow and hosts_deny
directives.
Or you could use your upload script to copy the files to the server,
then once the application publishes the site you could use it to copy
the image files from the writable directory (above the web root) into
the public images directory.
The best method would require the following:
1. a sub domain with limited access using apaches hosts_allow and
hosts_deny directives
2. a world read/writable folder located outside of the web root
3. script prevention by checking referring scripts as well as perhaps an
internal allowed ip range directive
4. a command line, crontab entry to move image files from the world
read/writable folder into the public/images folder
You should look into linux folder and file permissions vs. the user and
group that is running as your web server. Just a few suggestions. Keep
in mind that the only real way to keep your stuff secure is to cut the cord.
elk dolk wrote:
On 3 February 2010 16:07, wrote:
I currently have all my images referenced by url in my database and stored
in a folder/s and I think I will keep it that way...
..............................................................
If you put the images OUTSIDE of the webroot/docroot/public_html
folder (whatever you have), then a user cannot directly navigate to
the file.
e.g.
/home/sites/your_site/public_html/images/image1.jpg
http://www.yoursite.com/images/image1.jpg would probably work.
But ...
/home/sites/your_site/public_html/getImage.php
/home/sites/your_site/hidden_images/image1.jpg
Now, there is no way I can load image1.jpg from my browser. I have to
use getImage.php, which I assume would require me to login or
authenticate myself in some way.
----------------------------------------------------------
I have my photos in /public_html/img/gid directory and with this path:
<img src='http://www.mydomain.com/img/{$gid}/{$photoFileName}' in getImage.php the server displays the photos.
Now if I put my photos outside of the public_html like this:
/hidden_images/img/gid
what would be the correct path to the photos in the getImage.php script?
--
Jas
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
