How to serve images from MULTIPLE directory outside web root?

Question

I tried serving images outside of the web root and it worked. Here's what I did:

Directories:

app
  |_upload_dir
      |_user_img_dir
          |_ user1.jpg
      |_ other_img_dir
           |_an_img.png

Public_html
  |_asset_dir
  |_load_image.php
  |_home.php

load_image.php

<?php
$mime_type = mime_content_type("../app/upload_dir/user_imag_dir/{$_GET['image']}");
header('Content-Type: '.$mime_type);

readfile("../app/upload_dir/user_img_dir/{$_GET['image']}");
?>

HTML

...
<body>
    <img src="/load_image.php?image=user1.jpg" width="100" height="100"/>
</body
...

That's how I can read the images from user_img_dir directory.

So how can I read any files inside upload_dir? should I have multiple load_image.php typeScript for each directory? Or, should I pass the whole path inside '$_GET' ? Or there is a better way? I need a direction here.

Thank you.

You're code is _highly_ insecure. Anyone can pass what ever file path they want from your server that the web server can read and get the contents, including any PHP file. You can read about some [possible solutions here](https://stackoverflow.com/questions/1911382/sanitize-file-path-in-php). — M. Eriksson, Feb 18 '19 at 05:53
I'll love to learn. Can you point me out more clearly @MagnusEriksson — Bipul Roy, Feb 18 '19 at 05:55
I added a link in my comment to a post that has more info and possible solutions. — M. Eriksson, Feb 18 '19 at 05:56
Store the files paths in the DB, then pass a unique identifier and pull that path from the DB, that way the directory tree is never subject to end user manipulation. Only save the path outside of this root location `../app/upload_dir/` that way if you ever move servers etc, it will be easier to adjust it in code. — ArtisticPhoenix, Feb 18 '19 at 05:58
The general idea is to have a variable containing the absolute path to the folder you want to let the user access. Then use [realpath()](http://php.net/manual/en/function.realpath.php) on the requested file path and make sure that the requested path starts with the configured path. That will make sure the requested path isn't outside of the allowed path. But you should definitely read more about the issue. — M. Eriksson, Feb 18 '19 at 06:00
I also like to use `hash_file('sha1', $filepath)` for the unique id, this has the added benefit of rejecting duplicate files, [hash_file](http://php.net/manual/en/function.hash-file.php) returns a hash of the file contents, think of a hash like a password hash. You can compare the hashes of 2 files to see if the files are identical. And it's less guessable/looks better then a plain id. — ArtisticPhoenix, Feb 18 '19 at 06:02

score 0 · Answer 1 · answered Feb 18 '19 at 07:34

0

All you need is to provide your load_image.php with the whole relative path. And modify your PHP script accordingly.

HTML

<body>
    <img src="/load_image.php?image=../app/upload_dir/user_img_dir/user1.jpg" width="100" height="100"/>
</body

For other images just just replace the src value of the img tag. Each occurrence of the tag may serve different image.

answered Feb 18 '19 at 07:34

Mulli

1,598
2
22
39

Thanks for the reply @Mulli . But I don't like the idea of putting the full path other than only the file name. – Bipul Roy Feb 18 '19 at 07:40
@Sharecorn The above is the straight forward way. It is an answer to your question. You may try encode into the image file name instructions for your load_image php script where the file is. Example: uud1d1image.jpg is the path "../../d1/d1/image.jpg". – Mulli Feb 18 '19 at 07:50

How to serve images from MULTIPLE directory outside web root?

1 Answers1