02-27-2012, 01:22 PM
Hello, I have made a simple website for people to upload images. These images are saved in a folder called "upload/" in the directory. When a person uploads an image, he gets also the link of the image. However I want that when the link of the image to be secured so that the users do not know my folder where the images are being stored.
For example, the current url is like this:
I want it like:
I have used base64_encode, but it is now I have learn it will not work..as it is not an encryption function. Well, I just want my url of the respective image to change that's all, I don't want people to know which folder is storing the images... Thank you
02-27-2012, 01:31 PM
You can't really encrypt a URL. You can use PHP to help obfuscate it by creating something like this:
You can then set the proper headers and echo the contents of the image file (from the proper folder) to the browser.
My real question is whether or not this is actually useful. "Security through obscurity" isn't security at all. Does it matter if users know the location of your upload directory? Use Apache to turn off directory browsing. If the files themselves need security then you'll have to do a little more work than modifying the URL.
02-27-2012, 01:40 PM
Best thing to do is to store the file outside the working web directory and then use a combination of PHP and htaccess to retrieve the said file and display it to the user.
As mentioned though the best security is sanitisation, obscurity should never be relied upon, and only used to make it more difficult to feel out the system.
02-27-2012, 01:41 PM
Well I think I have used a strong word lol, "Encrypt". I meant I only want the URL to be like this as on most sites where you upload to download are like this. They don't show the folder directory...etc...
02-27-2012, 01:45 PM
look at sha1(), it's a hashing algorithm rather than encryption. It's 'one way' encryption but that shouldn't matter unless you rely on the original file name.
02-27-2012, 01:48 PM
I know this, and I dont know if MD5 will do the job even it is also an encryption. Because the user will use the link to copy on their website, so the image should appear...
02-27-2012, 02:29 PM
go on this link, the image hosting is online..on a free hosting..just register and see it..
02-27-2012, 02:36 PM
Any type of technique to create a random value is sufficient. I'd suggest either choosing a hashing algorithm such as sha1 or variant version, or using uuid generation. So long as its unique or low value of collision, then it will work fine.
Then you simply store that key to a path in your database or a file. You serve it up as image.php?id=thatid. To remove that part, you'd use rewrite to convert just the /sha1|uuidtype into that of image.php?id=sha1|uuidtype. That will give you the effect you are looking for.
02-27-2012, 03:04 PM
By the way, I want your opinion, even if I don't do it, is it a security problem? Normally, I have not granted the folder to be accessed as Public, and the users cant go to the folder.. I have made a function also that if an image which has the same name to be refused, so the user will have to change the image name..
02-27-2012, 04:06 PM
Since you'll need to use a database or some method of tracking the image hash to the path, you can also assign "ownership" to someone and base your security around your authentication. I don't see a purpose of this if that is the case though; my assumption was that the file is to be available to anyone with the name. As for naming, it will be irrelevant since you can change the name to anything you want.
Security wise, make sure any uploaded file is not in a published directory; move it above your web root.
02-27-2012, 04:31 PM
I think I will leave it like this... I mean I will not put any type of hiding features for the link.