dsl2014 2015-07-08 21:15
浏览 49
已采纳

在服务器上存储私有图像的正确方法?

I have written a PHP script to retrieve images that are NOT under the public_html folder. The script authenticates the user has permission to view the image then displays it. The image permissions are set to "0755"

Is this a secure method to prevent other people from viewing private images? Would hashing the image file name add any security benefit? Are there any other alternative methods that could improve this script?

script of image_retrieval.php

<?php
include '../user_verification.php';
$image_request = $_GET['image_request'];
$pic = file_get_contents("/home/username/images/'.$image_request.'");
header('Content-type: image/jpeg');
echo $pic;
?>

script of display_image.php

    <?php
include '../world/verification.php';
$image_request = $_GET['image_request'];
echo"<img src='http://www.domainname.com/request_image.php?userid=$userid&image_request=$image_request'>";
?>
<form id='image_requester' method='get' action='display_image.php'>
    <input type="text" id="image_request" name="image_request">
    <input type="hidden" value="<?echo"$userid";?>" id="userid" name="userid">
    <input type="submit" value="request">
</form>
  • 写回答

2条回答 默认 最新

  • douba5540 2015-07-08 21:50
    关注

    Since the images are not publicly available it is good enough. The only good thing about hashed names is that they would be more unique and you could store them all under one dir, but if you really wanted that i would recommend using timestamps as that would not clash with other images ever!

    Otherwise storing of the images as hashes will only prove useful if the auth layer is somehow compromised. But if that happens then it isn't long before someone can list everything in there.

    From the code you have posted above it seems that all images are in one place, what i would do is store each users images separately so that even if the auth layer is somehow compromised for a person, only that persons images are at risk rather than everyone's. If needed hash them as you said or store them with such names that don't clash with each other, while storing the reference to that image in the database.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!
  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?