0

I tried serving images outside of the web root and it worked. Here's what I did:

Directories:

app
  |_upload_dir
      |_user_img_dir
          |_ user1.jpg
      |_ other_img_dir
           |_an_img.png

Public_html
  |_asset_dir
  |_load_image.php
  |_home.php

load_image.php

<?php
$mime_type = mime_content_type("../app/upload_dir/user_imag_dir/{$_GET['image']}");
header('Content-Type: '.$mime_type);

readfile("../app/upload_dir/user_img_dir/{$_GET['image']}");
?>

HTML

...
<body>
    <img src="/load_image.php?image=user1.jpg" width="100" height="100"/>
</body
...

That's how I can read the images from user_img_dir directory.

So how can I read any files inside upload_dir? should I have multiple load_image.php typeScript for each directory? Or, should I pass the whole path inside '$_GET' ? Or there is a better way? I need a direction here.

Thank you.

Improve this question
6
  • 1
    You're code is highly insecure. Anyone can pass what ever file path they want from your server that the web server can read and get the contents, including any PHP file. You can read about some possible solutions here. Commented Feb 18, 2019 at 5:53
  • I'll love to learn. Can you point me out more clearly @MagnusEriksson Commented Feb 18, 2019 at 5:55
  • I added a link in my comment to a post that has more info and possible solutions. Commented Feb 18, 2019 at 5:56
  • 1
    Store the files paths in the DB, then pass a unique identifier and pull that path from the DB, that way the directory tree is never subject to end user manipulation. Only save the path outside of this root location ../app/upload_dir/ that way if you ever move servers etc, it will be easier to adjust it in code. Commented Feb 18, 2019 at 5:58
  • 1
    The general idea is to have a variable containing the absolute path to the folder you want to let the user access. Then use realpath() on the requested file path and make sure that the requested path starts with the configured path. That will make sure the requested path isn't outside of the allowed path. But you should definitely read more about the issue. Commented Feb 18, 2019 at 6:00

1 Answer 1

Reset to default
0

All you need is to provide your load_image.php with the whole relative path. And modify your PHP script accordingly.

HTML

<body>
    <img src="/load_image.php?image=../app/upload_dir/user_img_dir/user1.jpg" width="100" height="100"/>
</body

For other images just just replace the src value of the img tag. Each occurrence of the tag may serve different image.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Image
Thanks for the reply @Mulli . But I don't like the idea of putting the full path other than only the file name.
Image
@Sharecorn The above is the straight forward way. It is an answer to your question. You may try encode into the image file name instructions for your load_image php script where the file is. Example: uud1d1image.jpg is the path "../../d1/d1/image.jpg".

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.