Page 1 of 1

filename and viewing

Posted: Fri Sep 02, 2005 11:51 am
by s.dot
I have a bunch of pictures that are renamed during upload to time().jpg

So the filename is always unique.

However, some of these pictures are password protected from viewing via a password form. Incorrect password = error message. Correct password = access to the pictures.

Now, I just recently got to thinking... someone could create a script to find these pictures without needing a password. It would seem pretty useless, but it would turn up results.. something like:

Code: Select all

$dir = "http://www.domain.com/dir/";

$time = time();
$onemonth = 60*60*24*30;
$starttime = $time-$onemonth;

$i = $starttime;
while($i < $time)
{
   echo "<img src=\"".$dir.$i.".jpg\"><BR />";
   $i++;
}
This code would produce thousands of empty pictures, BUT it would produce the password protected images uploaded within the last month.. or whatever time period was defined.

So I need to randomize my image names.. time() isn't effective for security reasons.

What if I md5()'d the time... would this produce a unique filename each time? Would the filename be too long?

If that's not secure.. what about salting the md5()'d time?

Your thoughts please....

Posted: Fri Sep 02, 2005 11:55 am
by feyd
md5() isn't needed... simply pushing the folder outside the document root and/or only allowing access to the images through a script is the way. :)

Posted: Fri Sep 02, 2005 12:05 pm
by s.dot
Not really that practical though. Because all the images reside in the same directory. But not all of them are password protected. The ones that are protected are identified in the database corresponding to filename.

So I wouldn't need to place such pictures outside of the document root. And would be quite hard to do considering the dynamics that members choose to protect/unprotect images.

I figure my best bet is extremely randomizing the file name. And the only idea I came up with for that is a salted md5() string.

Something like:

Code: Select all

$filename = time();
$salt = "saltstringhere";

$result = $filename.$salt;
$final = md5($result);
Now I'm not sure if my definition of "salt" is correct, as I've only come to learn it from reading other forum topics. Regardless the idea is the same.

This would produce a 32 character filename with numbers and letters... so I'm guessing it would never produce an invalid filename? And what are the possibilities of duplicate filenames?

Posted: Fri Sep 02, 2005 12:14 pm
by feyd
probability of a duplicate filename with md5: 1:340,282,366,920,938,463,463,374,607,431,768,211,455

I was suggesting that all the images be passed through the file handler, whether password protected or not. The file handler would add password protection where needed, do immediate pass-through if not. The handler also gives you the ability to do download counting, popularity graphing and such derivatives based on statistics.. :)