dsl2014 2015-07-08 21:15
浏览 49
已采纳

在服务器上存储私有图像的正确方法?

I have written a PHP script to retrieve images that are NOT under the public_html folder. The script authenticates the user has permission to view the image then displays it. The image permissions are set to "0755"

Is this a secure method to prevent other people from viewing private images? Would hashing the image file name add any security benefit? Are there any other alternative methods that could improve this script?

script of image_retrieval.php

<?php
include '../user_verification.php';
$image_request = $_GET['image_request'];
$pic = file_get_contents("/home/username/images/'.$image_request.'");
header('Content-type: image/jpeg');
echo $pic;
?>

script of display_image.php

    <?php
include '../world/verification.php';
$image_request = $_GET['image_request'];
echo"<img src='http://www.domainname.com/request_image.php?userid=$userid&image_request=$image_request'>";
?>
<form id='image_requester' method='get' action='display_image.php'>
    <input type="text" id="image_request" name="image_request">
    <input type="hidden" value="<?echo"$userid";?>" id="userid" name="userid">
    <input type="submit" value="request">
</form>
  • 写回答

2条回答 默认 最新

  • douba5540 2015-07-08 21:50
    关注

    Since the images are not publicly available it is good enough. The only good thing about hashed names is that they would be more unique and you could store them all under one dir, but if you really wanted that i would recommend using timestamps as that would not clash with other images ever!

    Otherwise storing of the images as hashes will only prove useful if the auth layer is somehow compromised. But if that happens then it isn't long before someone can list everything in there.

    From the code you have posted above it seems that all images are in one place, what i would do is store each users images separately so that even if the auth layer is somehow compromised for a person, only that persons images are at risk rather than everyone's. If needed hash them as you said or store them with such names that don't clash with each other, while storing the reference to that image in the database.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 ansys fluent计算闪退
  • ¥15 有关wireshark抓包的问题
  • ¥15 Ubuntu20.04无法连接GitHub
  • ¥15 需要写计算过程,不要写代码,求解答,数据都在图上
  • ¥15 向数据表用newid方式插入GUID问题
  • ¥15 multisim电路设计
  • ¥20 用keil,写代码解决两个问题,用库函数
  • ¥50 ID中开关量采样信号通道、以及程序流程的设计
  • ¥15 U-Mamba/nnunetv2固定随机数种子
  • ¥30 C++行情软件的tick数据如何高效的合成K线