...

View Full Version : Making a secure image-folder



Raraken
06-05-2005, 07:10 AM
I'm developing a system that will store alot of images in a single folder. I need the folder to be secure, so users may not view the images in the folder. I cannot use somthing like .htaccess files, as they are not compatible with every server (this will be distributed, so it needs to be universal)

My idea is this: The images in the folder are going to receive random names like "023712ygH.jpg" or "nch9823dg.jpg". So people can't look in the folder, there will be a blank index.htm file inside. I just want to know: Is this a very secure method? And is there any way people can still look inside the folder/find the file names? Is there any image re-direct methods that work on every server?

firepages
06-05-2005, 05:01 PM
is there any way people can still look inside the folder/find the file names?
no

Is this a very secure method
no ;)

you can't really do universal solutions for this , though you could put the images above the web-root and then use a script to read and display the images , being above the web-root the images will not be viewable directly but your scripts can easily get at them ... for PHP a simple <?readfile('/home/user/protected/imgname.jpg');?> would do the job, I assume such an approach works for ASP/IIS etc

Raraken
06-06-2005, 02:36 AM
no

no ;)

you can't really do universal solutions for this , though you could put the images above the web-root and then use a script to read and display the images , being above the web-root the images will not be viewable directly but your scripts can easily get at them ... for PHP a simple <?readfile('/home/user/protected/imgname.jpg');?> would do the job, I assume such an approach works for ASP/IIS etc

Because of the way this is being distributed, running things above the root is not really an option.

Basically, I'm using php/mysql to run this. Images, when uploaded through the system, are given 9 digit random names like 8fn4ys7fj.jpg and such. (Then the image names are stored in the database, and then allowed to be viewed after a certain date)

The idea is that people cannot guess the name of the files within the folder - thus not being able to view the images. The only way they could put in the url is by already knowing the name (but by then, that means the image was already released), or by a really lucky guess (odds of 1 in 3656158440062976).

I just need to make sure that the names of the images arent spread around before their time. So assuming this isnt the pentagon, would this work?

scroots
06-06-2005, 08:53 PM
surely reducing the time frame between upload and release would help you. That way if people guessed correctly at the filename they would only have it a few mins before everyone else.

If you set the other servers to copy of the updated one the time frame would be about 10mins or less from upload to be copied to the other servers.

If the data requires such high security, where talking the data was top notch and worth millions before release, you would just put it online when you wanted to release it.

its just my 0.02

scroots



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum