Page 1 of 2

Image Gallery

Posted: Mon Mar 28, 2005 1:59 pm
by cs-web
Hi I'm making an image gallery for my site. I want it to users can upload images to the gallery. But I want to approve images, when their uploaded beofore they will display in the site gallery and users can see them. I would also make it pritty hard for the preapproved images to be foubd by some kind of loserso they can link to them in the forum and stuff.

for example I wouldnt want the unaproved images somewhere accesibly like

images/upload/unapproved.

would it be best to just password protect the unapproved folder?

Any comments, suggestions and experience would be usefull.

Thanks Chris

Posted: Mon Mar 28, 2005 2:34 pm
by feyd
store the filename, some id number, and a flag that says whether it's approved or not in a database table. All images should be loaded from a script that takes the id number. This script checks if the record is approved before sending the image. If not approved, send a false image of some kind. Use an .htaccess file to set "Deny From All" on the directory where you wish to store the files. This will disallow a user directly accessing any of the files without going through the image script.

Posted: Mon Mar 28, 2005 2:43 pm
by cs-web
A bit off topic for the momment probly shouldnt go in this forum but on the php manual regarding file uploads here

http://uk.php.net/features.file-upload

it doesnt mention unliking files where as in the php book it says this is bery sloppy to do so. but I find it hard to believe that the php would be, has the upload method changed and an unnlink is nolgonger needed? for example if a found a file was to large once uploaded how would i get it off the server cos i owuldnt want a 100gig file to stay on there even for 10 minutes for example..

Posted: Mon Mar 28, 2005 3:03 pm
by feyd
first off, the upload system limits the size of an upload in several places, which are the directives mentioned on that page. So unless you change your configuration to allow a 100GB file, it's not going to happen very easily. You can unlink() a file uploaded, in some cases this may be a good idea, however, the folder the upload system uses is often a temporary folder, things left there are cleared out my php or the server on a regular basis, I believe. But, if you want to be safe, unlink() the file.

Posted: Tue Mar 29, 2005 2:56 am
by cs-web
feyd wrote:store the filename, some id number, and a flag that says whether it's approved or not in a database table. All images should be loaded from a script that takes the id number. This script checks if the record is approved before sending the image. If not approved, send a false image of some kind. Use an .htaccess file to set "Deny From All" on the directory where you wish to store the files. This will disallow a user directly accessing any of the files without going through the image script.
The problem with that is I dont mind the images being accessible once they are approved, its just someone might upload loads porn and give peeople links to it.

---- Later Post
I'm trying to also have the script check the file is less then 500K and either a gif or jpeg. I'm using this if

Code: Select all

if (($imagesize <= "512000") && ($filetpye == "image/gif") || ($filetpye == "image/jpeg")) {
The problem is that if the file is a jpeg it doesnt check for the size, I undertsand why because the && doesnt conver the to type checks if u get what i mean.. I want it to be... if the image is less then 500k and a gif of jpeg not if the image is less then 500k and a gif, or the image is a jpeg.

One last point lol.. in the php manual it says:
$_FILES['userfile']['type']

The mime type of the file, if the browser provided this information. An example would be "image/gif".
That does seem very good, is there a better way to get the file type. Within php. Because surely an evil person constract their own browser that sends the type as jpg when its actually a mean php script or something of the same effect.

Posted: Fri Apr 01, 2005 3:05 pm
by jakeklem
The problem is that if the file is a jpeg it doesnt check for the size, I undertsand why because the && doesnt conver the to type checks if you get what i mean.. I want it to be... if the image is less then 500k and a gif of jpeg not if the image is less then 500k and a gif, or the image is a jpeg.
cs-web
Will an extra set of parenthesis around the gif/jpeg work?

Code: Select all

if (($imagesize <= "512000") && (($filetpye == "image/gif") || ($filetpye == "image/jpeg")))

Posted: Fri Apr 01, 2005 3:25 pm
by feyd
although it'd work for the average user, be careful as the file type information is sent from the requesting client, and can very easily be spoofed. Using getimagesize(), php will actually read the file, to see if it can recognize it as an image. Warning: some JPEG files may not get recognized, because there are MANY variants to JPEG. You can use the exif functions to determine more variants of JPEG, among other formats, though you need to write code to check if the function(s) exist, as they are a compile option.. exif_imagetype()

Posted: Sat Apr 02, 2005 2:47 pm
by cs-web
Is there a simple secure way to get the size and extension of the file that was uploaded? forget all this "mime" bull crap. I dont see why the even bothered making that mime stuff seems utterly useless.

Posted: Sat Apr 02, 2005 2:58 pm
by feyd
the extension of a file is actually the useless one. The mime information is what you should use.

Posted: Sat Apr 02, 2005 3:43 pm
by cs-web
yeah but if that can be spoofed that holds absolutly no weight securty wise for me.

Posted: Sat Apr 02, 2005 3:51 pm
by feyd
are you talking about the mime information that is returned from getimagesize() or sent from the browser? I'm talking about the former.

Posted: Sat Apr 02, 2005 4:46 pm
by cs-web
How do I just get the size and mine type of the file uploaded then? this is confusing lol atleast for me it is :oops:

Posted: Sat Apr 02, 2005 4:47 pm
by feyd

Posted: Sun Apr 03, 2005 6:43 am
by cs-web
by size i didnt nean dimensions I meant actual size u know like in bytes

Posted: Sun Apr 03, 2005 2:16 pm
by feyd
you can compare $_FILES['yourfile']['size'] against filesize()