filename and viewing

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

filename and viewing

Post by s.dot »

I have a bunch of pictures that are renamed during upload to time().jpg

So the filename is always unique.

However, some of these pictures are password protected from viewing via a password form. Incorrect password = error message. Correct password = access to the pictures.

Now, I just recently got to thinking... someone could create a script to find these pictures without needing a password. It would seem pretty useless, but it would turn up results.. something like:

Code: Select all

$dir = "http://www.domain.com/dir/";

$time = time();
$onemonth = 60*60*24*30;
$starttime = $time-$onemonth;

$i = $starttime;
while($i < $time)
{
   echo "<img src=\"".$dir.$i.".jpg\"><BR />";
   $i++;
}
This code would produce thousands of empty pictures, BUT it would produce the password protected images uploaded within the last month.. or whatever time period was defined.

So I need to randomize my image names.. time() isn't effective for security reasons.

What if I md5()'d the time... would this produce a unique filename each time? Would the filename be too long?

If that's not secure.. what about salting the md5()'d time?

Your thoughts please....
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

md5() isn't needed... simply pushing the folder outside the document root and/or only allowing access to the images through a script is the way. :)
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Not really that practical though. Because all the images reside in the same directory. But not all of them are password protected. The ones that are protected are identified in the database corresponding to filename.

So I wouldn't need to place such pictures outside of the document root. And would be quite hard to do considering the dynamics that members choose to protect/unprotect images.

I figure my best bet is extremely randomizing the file name. And the only idea I came up with for that is a salted md5() string.

Something like:

Code: Select all

$filename = time();
$salt = "saltstringhere";

$result = $filename.$salt;
$final = md5($result);
Now I'm not sure if my definition of "salt" is correct, as I've only come to learn it from reading other forum topics. Regardless the idea is the same.

This would produce a 32 character filename with numbers and letters... so I'm guessing it would never produce an invalid filename? And what are the possibilities of duplicate filenames?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

probability of a duplicate filename with md5: 1:340,282,366,920,938,463,463,374,607,431,768,211,455

I was suggesting that all the images be passed through the file handler, whether password protected or not. The file handler would add password protection where needed, do immediate pass-through if not. The handler also gives you the ability to do download counting, popularity graphing and such derivatives based on statistics.. :)
Post Reply