• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Have user id as part of file name

#1
Hello,

I am thinking about doing something similar to mybb attach file on the forum that I am creating codeigniter project

I notice mybb when uploads file it addeds user id plus a hash

post_1_1486872235_add64c460cbbc24fb1c9e333418ee1d4.attach

is it safe to add user ids as part of image filename?
There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply

#2
I'm not sure how you're doing it but I would use the hash as a lookup table to get the userid from the database. I think this would be safer and more robust.
IgnitedCMS Pro
IgnitedCMS
Practical guide to IgnitedCMS - Book coming soon
Reply

#3
You should never use a users ID out in the open like that, your suppose to protect your users ID's
What did you Try? What did you Get? What did you Expect?

Joined the CodeIgniter Community in 2009.          ( Skype: insitfx )
Reply

#4
I would set a code for the user, a code for the filename, and a code for the post.

Code:
www.site.co.uk/post/view/dlfhgldhfglsdfgwe
www.site.co.uk/user/view/kfdhgjkhdfkghkd
www.site.co.uk/file/view/dsfgkjhdsfgkhs

The file name would be named as a code too:

Code:
sdgdsggfsdfgdg.jpg

and with a secure code for all these, linked in tables, you would lookup the file code to get the file name etc. etc. No need for post_1 or post_2 etc.

I would not use a database id in any url, file or js code structure. Database ID's are for database and internal code use, not public use or display.

In fact, I no longer really use codes. I set pretty urls for all of these things in whatever way is appropriate. Such as creating it from a name, or specifically ask for user input, or merge a category name with a post name etc. Whatever is right for the situation.
Code:
So definitely not this:
www.mysite.co.uk/product/view/147

I used to do this:
www.mysite.co.uk/product/view/sdfghdksfjghklsdhfg

Now I would do this:
www.mysite.co.uk/product/view/baltic-style-brick-and-mortar-paint
Same would apply for your filenames too.
Reply

#5
(02-12-2017, 11:12 AM)InsiteFX Wrote: You should never use a users ID out in the open like that, your suppose to protect your users ID's

Thanks for tip, That's the way mybb does it may be they need to change it.

If I hash user_id would that be OK or still not recommended.
There's only one rule - please don't tell anyone to go and read the manual.  Sometimes the manual just SUCKS!
Reply

#6
If you hash the user_id (seeing as hashing) is one way only, i.e you'll never be able to decrypt it to get the user_id what's the point. OK I guess you could encrypt, but why not just do as I suggested and use the hash as a look up table to get the user id?

Much simpler don't you think.
IgnitedCMS Pro
IgnitedCMS
Practical guide to IgnitedCMS - Book coming soon
Reply

#7
BTW sorry I just read you're using mybb so I'm guessing you're reading too much into security, if it was a security hole they probably would have patched it. It might be a non issue here.
IgnitedCMS Pro
IgnitedCMS
Practical guide to IgnitedCMS - Book coming soon
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2017 MyBB Group.