I develop a php script to replace a current one, that will have a lot of exposure to various markets/countries. This script between others offers an photo upload functionality .
After a lot of reading about the issue, I followed the approach described below. I would deeply appreciate your comments on its security.
img10000.jpg
will be stored at photos/a/f/0/img10000.jpg
while img10001.jpg
will be stored at photos/0/9/3/img10001.jpg
. This is done for other reasons (use of subdomains for static content serve or use of a CDN).The script will run on a linux dedicated server.
To upload files in PHP is easy and secure. I would recommend learning about: pathinfo - Returns information about a file path.
Upload forms on web pages can be dangerous because they allow attackers to upload malicious code to the web server. Attackers can then use tricks to execute this code and access sensitive information or even take control of the server.
apache
(or whatever user your webserver runs at). I'm not sure why you wouldn't use php's default temporary directory here, since it tends to be outside of the web root too./.png/
actually matches apng.php
.Steps 5 to 8 are not security-related.
Step 9: I'm assuming that your site allows everyone to see every photo. If that isn't the case, you should have a URL scheme with substantially longer URLs (say, the hashsum of the image).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With