Where to store user content (for eg. pics) so that its more secure? Under app/ OR under public/? |
[eluser]zrowcrypt[/eluser]
I am in the process of creating a directory structure to store user's data. As of now pics and then later may be files. Is it right to create a structure like this? home/ app/ sys/ public/ js/ css/ img/ user/ albums/ user1/ user2/ 1. I dont want the files to be accessed directly via a url by unauthenticated/logged in users. 2. Also, these pictures are suppose to have restrictions as who all out of a group can view it. 3. I dont want search ingines to crawl and store the pics and show them up when googled. Any suggestions/pointers? Thanks.
[eluser]Dennis Rasmussen[/eluser]
Use .htaccess to deny direct access to your folders/files. And then maybe create a class or library to retrieve the files for you when needed.
[eluser]Twisted1919[/eluser]
For the OP, under your doc root, create a pub/public folder and store them there, i see no problem whatsoever. http://domain.com/pub/images/blah.png
[eluser]Dennis Rasmussen[/eluser]
[quote author="Twisted1919" date="1286907081"][quote author="Dennis Rasmussen" date="1286906570"]Use .htaccess to deny direct access to your folders/files. And then maybe create a class or library to retrieve the files for you when needed.[/quote] Oh come on ... For the OP, under your doc root, create a pub/public folder and store them there, i see no problem whatsoever. http://domain.com/pub/images/blah.png[/quote] "Oh come on ..." what? How does your solution make the files secure against hotlinking?
[eluser]zrowcrypt[/eluser]
Will .htaccess be able to stop members from accessing (members)images from the public folder directly...i mean for eg if they type a valid url of an image in the browser directly (http://site.com/pub/images/member2/profile.jpg), can .htaccess deny those ? Thanks.
[eluser]WanWizard[/eluser]
Blocking hot linking via .htaccess depends on the referrer link in the request. Which can easily be forged, unless you only accept requests from a specific referrer, with some kind of session key that you can verify, but then it's beyond the capabilities of mod_rewrite.
[eluser]Twisted1919[/eluser]
[quote author="Dennis Rasmussen" date="1286911009"][quote author="Twisted1919" date="1286907081"][quote author="Dennis Rasmussen" date="1286906570"]Use .htaccess to deny direct access to your folders/files. And then maybe create a class or library to retrieve the files for you when needed.[/quote] Oh come on ... For the OP, under your doc root, create a pub/public folder and store them there, i see no problem whatsoever. http://domain.com/pub/images/blah.png[/quote] "Oh come on ..." what? How does your solution make the files secure against hotlinking?[/quote] Didn't read the post correct first time, that's why i edited my reply
[eluser]n0xie[/eluser]
[quote author="zrowcrypt" date="1286882116"] 1. I dont want the files to be accessed directly via a url by unauthenticated/logged in users. 2. Also, these pictures are suppose to have restrictions as who all out of a group can view it. 3. I dont want search ingines to crawl and store the pics and show them up when googled. Any suggestions/pointers? Thanks.[/quote] Use a controller to serve the images. Let the controller check if the user is authenticated/allowed to see the image. If it is, load the image.
[eluser]Dennis Rasmussen[/eluser]
[quote author="WanWizard" date="1286979993"]Blocking hot linking via .htaccess depends on the referrer link in the request. Which can easily be forged, unless you only accept requests from a specific referrer, with some kind of session key that you can verify, but then it's beyond the capabilities of mod_rewrite.[/quote] I used the wrong word when I wrote hotlinking. I actually meant direct access instead of hotlinking. .htaccess can be used to deny access to a folder, and then for this particular topic the OP could use a controller, library or any other form of code to reach and print the files/images. |
Welcome Guest, Not a member yet? Register Sign In |