Ensuring security of files in folder on public_html

Question

I have a directory structure of images in my public_html, like this:

public_html/
   design_images/
       product_11/
           112342_234/ ... a bunch of images stored here for this product
           112343_910/ ... images for this product
           more image folders/...
           ...

Within the public_html folder I have php files that do image processing and PDF conversion in the product folders. I'm just worried that somehow someone might inject some script somewhere and delete one of the product folders. I kept all these directories on public_html because very often throughout the website I need to dynamically display images from the product folders.

How can I secure against this? I'm using Apache on a virtual server, and I have access to root in my hosting package.

I also have javascript files in public_html/js, is it possible for any scoundrel to come and edit them somehow?

Answer 1

Move out of private html folder and make a script like (in pseudo):

loadimage.php

<?
$imageName = $_GET['image']
$file = (abstract folder name and file name from $imagename)
$file = (sanatize all variables before passing it to the filesystem)

$sizeAndType = getimagesize($file);
header('Content-Type:'.$sizeAndType['mime']);
header('Content-Length: ' . filesize($file));
readfile($file);

and call with www.example.com/loadimage.php?image=product_1234_something.jpg (or however you choose to build the name.

then it would be even better to write a htaccess with mod_rewrite to sanitize the url so you can just use your old, or an even better url buildup.

However this does not protect you from everything. you still need to make sure the rest of the server does not have serious holes like 777 public folders and more like that.