Welcome Guest, Not a member yet? Register   Sign In
Where to store user content (for eg. pics) so that its more secure? Under app/ OR under public/?
#1

[eluser]zrowcrypt[/eluser]
I am in the process of creating a directory structure to store user's data. As of now pics and then later may be files. Is it right to create a structure like this?

home/
app/

sys/

public/
js/
css/
img/
user/
albums/
user1/
user2/


1. I dont want the files to be accessed directly via a url by unauthenticated/logged in users.
2. Also, these pictures are suppose to have restrictions as who all out of a group can view it.
3. I dont want search ingines to crawl and store the pics and show them up when googled.

Any suggestions/pointers?

Thanks.
#2

[eluser]Dennis Rasmussen[/eluser]
Use .htaccess to deny direct access to your folders/files.
And then maybe create a class or library to retrieve the files for you when needed.
#3

[eluser]Twisted1919[/eluser]
For the OP, under your doc root, create a pub/public folder and store them there, i see no problem whatsoever.
http://domain.com/pub/images/blah.png
#4

[eluser]Dennis Rasmussen[/eluser]
[quote author="Twisted1919" date="1286907081"][quote author="Dennis Rasmussen" date="1286906570"]Use .htaccess to deny direct access to your folders/files.
And then maybe create a class or library to retrieve the files for you when needed.[/quote]
Oh come on ...

For the OP, under your doc root, create a pub/public folder and store them there, i see no problem whatsoever.
http://domain.com/pub/images/blah.png[/quote]

"Oh come on ..." what?
How does your solution make the files secure against hotlinking?
#5

[eluser]zrowcrypt[/eluser]
Will .htaccess be able to stop members from accessing (members)images from the public folder directly...i mean for eg if they type a valid url of an image in the browser directly (http://site.com/pub/images/member2/profile.jpg), can .htaccess deny those ?

Thanks.
#6

[eluser]WanWizard[/eluser]
Blocking hot linking via .htaccess depends on the referrer link in the request.

Which can easily be forged, unless you only accept requests from a specific referrer, with some kind of session key that you can verify, but then it's beyond the capabilities of mod_rewrite.
#7

[eluser]Twisted1919[/eluser]
[quote author="Dennis Rasmussen" date="1286911009"][quote author="Twisted1919" date="1286907081"][quote author="Dennis Rasmussen" date="1286906570"]Use .htaccess to deny direct access to your folders/files.
And then maybe create a class or library to retrieve the files for you when needed.[/quote]
Oh come on ...

For the OP, under your doc root, create a pub/public folder and store them there, i see no problem whatsoever.
http://domain.com/pub/images/blah.png[/quote]

"Oh come on ..." what?
How does your solution make the files secure against hotlinking?[/quote]
Didn't read the post correct first time, that's why i edited my reply Wink
#8

[eluser]n0xie[/eluser]
[quote author="zrowcrypt" date="1286882116"]
1. I dont want the files to be accessed directly via a url by unauthenticated/logged in users.
2. Also, these pictures are suppose to have restrictions as who all out of a group can view it.
3. I dont want search ingines to crawl and store the pics and show them up when googled.

Any suggestions/pointers?

Thanks.[/quote]
Use a controller to serve the images. Let the controller check if the user is authenticated/allowed to see the image. If it is, load the image.
#9

[eluser]Dennis Rasmussen[/eluser]
[quote author="WanWizard" date="1286979993"]Blocking hot linking via .htaccess depends on the referrer link in the request.

Which can easily be forged, unless you only accept requests from a specific referrer, with some kind of session key that you can verify, but then it's beyond the capabilities of mod_rewrite.[/quote]

I used the wrong word when I wrote hotlinking.
I actually meant direct access instead of hotlinking.

.htaccess can be used to deny access to a folder, and then for this particular topic the OP could use a controller, library or any other form of code to reach and print the files/images.




Theme © iAndrew 2016 - Forum software by © MyBB