+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: General (https://forum.codeigniter.com/forumdisplay.php?fid=1)
+--- Forum: Lounge (https://forum.codeigniter.com/forumdisplay.php?fid=3)
+--- Thread: Have user id as part of file name (/showthread.php?tid=67340)
Have user id as part of file name - wolfgang1983 - 02-11-2017
Hello,
I am thinking about doing something similar to mybb attach file on the forum that I am creating codeigniter project
I notice mybb when uploads file it addeds user id plus a hash
post_1_1486872235_add64c460cbbc24fb1c9e333418ee1d4.attach
is it safe to add user ids as part of image filename?
RE: Have user id as part of file name - ignitedcms - 02-12-2017
I'm not sure how you're doing it but I would use the hash as a lookup table to get the userid from the database. I think this would be safer and more robust.
RE: Have user id as part of file name - InsiteFX - 02-12-2017
You should never use a users ID out in the open like that, your suppose to protect your users ID's
RE: Have user id as part of file name - PaulD - 02-12-2017
I would set a code for the user, a code for the filename, and a code for the post.
Code:
www.site.co.uk/post/view/dlfhgldhfglsdfgwe
www.site.co.uk/user/view/kfdhgjkhdfkghkd
www.site.co.uk/file/view/dsfgkjhdsfgkhsThe file name would be named as a code too:
Code:
sdgdsggfsdfgdg.jpgand with a secure code for all these, linked in tables, you would lookup the file code to get the file name etc. etc. No need for post_1 or post_2 etc.
I would not use a database id in any url, file or js code structure. Database ID's are for database and internal code use, not public use or display.
In fact, I no longer really use codes. I set pretty urls for all of these things in whatever way is appropriate. Such as creating it from a name, or specifically ask for user input, or merge a category name with a post name etc. Whatever is right for the situation.
Code:
So definitely not this:
www.mysite.co.uk/product/view/147
I used to do this:
www.mysite.co.uk/product/view/sdfghdksfjghklsdhfg
Now I would do this:
www.mysite.co.uk/product/view/baltic-style-brick-and-mortar-paintRE: Have user id as part of file name - wolfgang1983 - 02-12-2017
(02-12-2017, 10:12 AM)InsiteFX Wrote: You should never use a users ID out in the open like that, your suppose to protect your users ID's
Thanks for tip, That's the way mybb does it may be they need to change it.
If I hash user_id would that be OK or still not recommended.
RE: Have user id as part of file name - ignitedcms - 02-12-2017
If you hash the user_id (seeing as hashing) is one way only, i.e you'll never be able to decrypt it to get the user_id what's the point. OK I guess you could encrypt, but why not just do as I suggested and use the hash as a look up table to get the user id?
Much simpler don't you think.
RE: Have user id as part of file name - ignitedcms - 02-12-2017
BTW sorry I just read you're using mybb so I'm guessing you're reading too much into security, if it was a security hole they probably would have patched it. It might be a non issue here.