|
|
|
Storing images outside of html root |
|---|
| message from omegaskl on 19 Jul 2004 |
I plan to use a database to store the path of an image so that I can
dynamically show an image to an authorized user that has logged in.
My question is that if I store the images under the html root, than
theoretically, people cold guess the path to other images if they view
the source and see where the images are coming from. For example, if
they see that an image is coming from the /images folder then they could
guess the name of another images.
Is it possible to store the images outside of the root, like you would
store a database?
For example, I have my html files stored in the html root folder and my
database in a database folder outside of the html root folder to prevent
people from browsing to the database. I tried to store an image in the
database folder, create a page and link the src of the image to the
direct path in the server (d:\database folder on server\image.jpg). But,
the image did not display.
I do not want to store the image in the database. So, is my only
solution to just put the images inside the html root and then hope
people do not guess the name of other images?
Thanks
Steve
|
| Michael Fesser replied to omegaskl on 19 Jul 2004 |
.oO(omegaskl)
No, images have to be accessible via an URL, i.e. they have to be stored
somewhere under the document root. A browser has no direct access on
files that are stored outside, you need a script for streaming the file.
No. Put them somewhere on the server outside the document root and use a
script for delivery (of course the script has to be accessible with a
browser). The script checks if the user is authenticated and then sends
the requested image.
For more informations or hints you have to post some more details (what
server, database, what server-side scripting language ...).
Micha
|
| omegaskl replied to Michael Fesser on 19 Jul 2004 |
So what you are saying is that I can put them in the same folder that my
database resides (outside html root) and use a script to delver the
images? That sounds cool.
Right now, I am using IIS, Access and VB Script. I authenticate the user
using Dreamweavers Login User Server Behavior.
What I have seen other sites do is just name the image being served a
random string, such as GhJuY67.jpg. That would make it real difficult
for people to guess that image A goes with database record A. I am
willing to do that as well if your method is not possible.
Steve
On 7/19/2004 9:24 AM, Michael Fesser wrote:
|
| Craig replied to omegaskl on 20 Jul 2004 |
I agree with all you, kinda.
Ultimately Joe is absolutely correct, if its been seen it's on the computer.
You seem to be protecting something worthy of the Pentagon - which has been
hacked, so why bother?
If you want the simplest solution, its your own - disassociate the record
and file name. But is it worth it? Will you remember what's associated with
what?
Craig
"omegaskl" <omegaskl@BLOCK.comcast.net> wrote in message
news:ddqdnfX234TSb2bdRVn-vA@comcast.com...
|
| omegaskl replied to Craig on 19 Jul 2004 |
Yeah, I am not concerned about people copying the image, just accessing
ones they are not authorized to see. So, the random file name seems like
a good idea. I'll just keep a record of what photo goes with what record.
Of course, I could just put the images in a password protected
directory, but that will not work since I am authenticating via a database.
Steve
On 7/19/2004 9:39 PM, Craig wrote:
|
| Michael Fesser replied to omegaskl on 20 Jul 2004 |
.oO(omegaskl)
For example.
Hmm, don't know about VB, I use PHP. The streaming-script is accessible
with an URL and is able to read files on the server directly through the
filesystem. It reads the requested file and passes it through to the
browser.
Currently I use this for a download script to count how often a file has
been downloaded. The idea is the same.
True, but it's still "security by obscurity", I wouldn't rely on that if
other methods are possible.
Micha
|
| omegaskl replied to Michael Fesser on 20 Jul 2004 |
I was thinking under the logic that since my OLE connection string
accesses the .mdb file in a folder outside the HTML root via a direct
path (drive:\path\db.mdb) that I could to the same logic. However, the
more I think about it, I can see how this is not possible since the
database it being accessed on the serer from a server based script. If I
was to call an image via a direct drive letter path from a webpage, then
I would be accessing that file as the IUSER account, which doe not have
access to the database folder.
Steve
On 7/20/2004 9:38 AM, Michael Fesser wrote:
|
| Joaquim Lopes replied to omegaskl on 19 Jul 2004 |
If I'm not mistaken, accessing files outside the documents root is a no-no because it will open your system to everyone on the net and poses a serious security risk.
|
| Craig replied to omegaskl on 19 Jul 2004 |
Steve,
I think the 'view source' code is always going to display the image path &
name, unless you could find a way to disable that, most unlikely.
turn off IE's image tools on the page
write "" to the status bar
or disable right-clicks
Craig
"omegaskl" <omegaskl@BLOCK.comcast.net> wrote in message
news:_aWdnYgGB7GT0mbdRVn-pw@comcast.com...
|
| Gary White replied to Craig on 19 Jul 2004 |
None of those are effective methods of protecting images.
Gary
|
| Joe Makowiec replied to omegaskl on 19 Jul 2004 |
Your only solution, if you do not want people 'getting' your images, is
not to post them to the web. As soon as they are viewed, they are
resident on the viewer's computer. That's the fundamental nature of the
Web.
|
|
