PHP store photos in a folder that is not public

Question

I would like to create a photo sharing php web site, I am pretty new to you PHP I am used to Java based servers.

I want to provide a form to upload an image. I want to be able to upload many hundreds of images, so it is probably better to store the image in a local file folder, and store a pointer to that file in the database. The reason is because the MySQL database is limited but the disk space is not.

The person who uploaded the image can then share this photo with certain other users, so I will have a table to maintain the permissions for the image.

I do not want this photo to download using a direct URL - a URL should provide the ID for the image as a query parameter, and the server will respond with that image, but it will only work if that user has permission to the file. I know how to do this, by creating a php that will read the file and output to the response.

If I store the photo on the disk inside of some folder somewhere, how do I make sure the photo cannot be hit using the direct URL like /path/to/photo.png?

Answer 1

You've got about two different options.

First, assuming you're using apache, use an .htaccess file on a folder to make it restricted or modify the httpd file if you can.

See:

• http://httpd.apache.org/docs/2.2/configuring.html#syntax
• http://httpd.apache.org/docs/2.2/howto/htaccess.html

In particular, the DENY command:

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny

Either way, php should still be able to access the images since it's server-side.

Another option is to store the files outside of the folders where your php server is located, (outside htdocs for apache, for example). You can navigate through the filesystem using file://, directly putting the directory ( e.g. E:\Images) or a relative path. php is not limited to saving files inside the area accessible by the internet.

See: http://www.php.net/manual/en/wrappers.file.php