Msg#: 4653860 posted 11:52 pm on Mar 13, 2014 (gmt 0)
I'm planning to give the chance to the users to upload pictures related to some element in my web site. I want to ask your opinion about the fact that I'm thinking to use the upload class class.upload.php [verot.net...]
I don't want to reinvent something that I think it already works pretty well.
What do you think? Is it enough for a small site? What will happen if I will have more users? Any consideration? I'm thinking to reduce size and dimension of each pictured upload in order to avoid to use too much space on the server (normal hosting on bluehost).
Msg#: 4653860 posted 12:21 am on Mar 18, 2014 (gmt 0)
I have used that method in the past and it does work. I am yet to use it on a live site though. There are just so many security issues that you need to be aware of.
You need to make sure all files you allow users to upload. Just because something is an image file, does not mean it is only an image. There are so many ways if placing dangerous code within almost any file.
I am no expert on this, and I am hopeful that someone with more experience will join the thread.
Msg#: 4653860 posted 3:56 pm on Mar 19, 2014 (gmt 0)
First point definitely not gif images. Secondo: all the images will be associated to different elements that are store in the database (elements like monuments, museum, religious building and some other type). Each element has a unique 10 chars string that I will use to generate the name of the images that I'm going to save in the server. Most likely I'll set a 2MB limit and I will resize the image and save an original and a thumb ( the "original" will show up once you click on the thumb through something like lightbox or something like that). The thumb will have a fix length and width according if it is an horizontal or vertical image. The original I'll probably resize if the width and height are too big. I'll have the control over the pictures that users will publish so I can automatically delete in case the picture is not proper. What do you think? Any possible issues?
Msg#: 4653860 posted 5:52 pm on Mar 19, 2014 (gmt 0)
- Make sure the images have read only permissions once they've been moved to their permanent and publicly accessible location. Basically give it the least amount of permissions and no more.
- Preferably give it your own filename. Something like imagefile.php.apachedoesntknowthisextension can be parsed as PHP. At the very least sanitise/validate the file name.
- Have a look at client side technologies that can help shrink the image before it gets pushed to your server. People don't know that a 50MB file from their camera can be shrunk down to a more sane size with little loss in quality. "Uploadify" is a popular package that can accommodate this.