dsl2014 2015-07-08 21:15
浏览 49
已采纳

在服务器上存储私有图像的正确方法?

I have written a PHP script to retrieve images that are NOT under the public_html folder. The script authenticates the user has permission to view the image then displays it. The image permissions are set to "0755"

Is this a secure method to prevent other people from viewing private images? Would hashing the image file name add any security benefit? Are there any other alternative methods that could improve this script?

script of image_retrieval.php

<?php
include '../user_verification.php';
$image_request = $_GET['image_request'];
$pic = file_get_contents("/home/username/images/'.$image_request.'");
header('Content-type: image/jpeg');
echo $pic;
?>

script of display_image.php

    <?php
include '../world/verification.php';
$image_request = $_GET['image_request'];
echo"<img src='http://www.domainname.com/request_image.php?userid=$userid&image_request=$image_request'>";
?>
<form id='image_requester' method='get' action='display_image.php'>
    <input type="text" id="image_request" name="image_request">
    <input type="hidden" value="<?echo"$userid";?>" id="userid" name="userid">
    <input type="submit" value="request">
</form>
  • 写回答

2条回答 默认 最新

  • douba5540 2015-07-08 21:50
    关注

    Since the images are not publicly available it is good enough. The only good thing about hashed names is that they would be more unique and you could store them all under one dir, but if you really wanted that i would recommend using timestamps as that would not clash with other images ever!

    Otherwise storing of the images as hashes will only prove useful if the auth layer is somehow compromised. But if that happens then it isn't long before someone can list everything in there.

    From the code you have posted above it seems that all images are in one place, what i would do is store each users images separately so that even if the auth layer is somehow compromised for a person, only that persons images are at risk rather than everyone's. If needed hash them as you said or store them with such names that don't clash with each other, while storing the reference to that image in the database.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 matlab 用yalmip搭建模型,cplex求解,线性化处理的方法
  • ¥15 关于#目标检测#的问题:大概就是类似后台自动检测某下架商品的库存,在他监测到该商品上架并且可以购买的瞬间点击立即购买下单
  • ¥15 神经网络怎么把隐含层变量融合到损失函数中?
  • ¥30 自适应 LMS 算法实现 FIR 最佳维纳滤波器matlab方案
  • ¥15 lingo18勾选global solver求解使用的算法
  • ¥15 全部备份安卓app数据包括密码,可以复制到另一手机上运行
  • ¥20 测距传感器数据手册i2c
  • ¥15 RPA正常跑,cmd输入cookies跑不出来
  • ¥15 求帮我调试一下freefem代码
  • ¥15 matlab代码解决,怎么运行