filename and viewing
Posted: Fri Sep 02, 2005 11:51 am
I have a bunch of pictures that are renamed during upload to time().jpg
So the filename is always unique.
However, some of these pictures are password protected from viewing via a password form. Incorrect password = error message. Correct password = access to the pictures.
Now, I just recently got to thinking... someone could create a script to find these pictures without needing a password. It would seem pretty useless, but it would turn up results.. something like:
This code would produce thousands of empty pictures, BUT it would produce the password protected images uploaded within the last month.. or whatever time period was defined.
So I need to randomize my image names.. time() isn't effective for security reasons.
What if I md5()'d the time... would this produce a unique filename each time? Would the filename be too long?
If that's not secure.. what about salting the md5()'d time?
Your thoughts please....
So the filename is always unique.
However, some of these pictures are password protected from viewing via a password form. Incorrect password = error message. Correct password = access to the pictures.
Now, I just recently got to thinking... someone could create a script to find these pictures without needing a password. It would seem pretty useless, but it would turn up results.. something like:
Code: Select all
$dir = "http://www.domain.com/dir/";
$time = time();
$onemonth = 60*60*24*30;
$starttime = $time-$onemonth;
$i = $starttime;
while($i < $time)
{
echo "<img src=\"".$dir.$i.".jpg\"><BR />";
$i++;
}So I need to randomize my image names.. time() isn't effective for security reasons.
What if I md5()'d the time... would this produce a unique filename each time? Would the filename be too long?
If that's not secure.. what about salting the md5()'d time?
Your thoughts please....