0

I'm using Restlet as backend trying to create a small web app.

I am allowing users to upload their profile images, but not sure where to store them. Google tells me to store it in the file system which makes sense.

So should I store them in a public web folder in which the web front end lives? But wouldn't that allow people to access all the profile images very easily?

If i don't store the images in the public web directory, where should I store them and how do I protect them?

My server is Ubuntu server 12.04 thanks in advance

Matthew Yang
  • 123
  • 1
  • 4
  • Nothing personal and no offense intended but this question is analogous to "What kind of sandwich should I have and should I put mustard or ketchup on it?". It's entireley subjective and is dependent on your storage and security needs and desires and that's not something we can answer for you. – joeqwerty Mar 28 '13 at 15:18

2 Answers2

1

You could certainly store them in a sub-folder within the public folder, and disable folder browsing. Then only expose the images within your application.

af-at-work
  • 670
  • 1
  • 6
  • 12
0

You can store the files outside of the document root, and include them on the backend with a relative path. Typically, web server will deny access to the parent directory of docroot, but the backend services will be able to access them.

i.e if you use:

DocRoot = /var/www
Images = /var/profile-pics

This will not work:

http://www.yourdomain.com/../profile-pics/David.JPG

This will work:

<?php include('../profile-pics/David.JPG'); ?>

Note: PHP used as example, and of course you cannot include a jpeg in this manner. Used only as example of keeping sensitive files out of the document root.

David Houde
  • 3,200
  • 1
  • 16
  • 19
  • You can do this, but it exacts a severe performance penalty for calling PHP just to load a static resource. – Michael Hampton Mar 28 '13 at 17:05
  • You are definitely correct. I just wanted to provide the example, as some users would never know otherwise. This method is best used for including other scripts that would need to be parsed regardless. – David Houde Mar 28 '13 at 17:12