Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
3
3
3ton2015-05-11 20:23:04
PHP
3ton, 2015-05-11 20:23:04

How to organize file storage in a PHP project?

HelpDesk is written inside CRM specifically for the client.
Interested in how to organize the storage of files, not the folder structure and connections with the database, but the process of saving and uploading a file.
The situation of protecting the project from hacking through uploading files is of interest.
For example, how to protect yourself from uploading php scripts.
There is an idea that you need to give binary through the first option from here habrahabr.ru/post/151795
But if such an option is for the binary of norms, then what about the pictures that would not be bad to draw on some pages, but at the same time not to get to the execution of slipped pictures instead scripts.
UPD1:while reading all the suggestions, the thought came to my mind - how much safer / more convenient it will be to organize a virtual machine with file hosting for this business, what is the best way to organize it and how to use it from under PHP.
if, for example, a CMS on corp.company.ru, then keep files.company.ru in a neighboring virtual machine
, the only question is how it is more convenient to use it with minimal loss of system resources.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
S
Sergey Semenko, 2015-05-11
@abler98

Store files in a folder inaccessible to users, and display images using PHP, for example, Imagick:
/image.php

$path = 'uploads/image.png';
$image = new Imagick($path);
$image->setImageFormat('png');
header('Content-type: image/png');
echo $image->getImageBlob();
$image->close();

/index.php
<img src="image.php">

Report
R
Rockman, 2015-05-11
@1Rockman

Keep files in a place inaccessible to the public, prohibit downloading files directly and even more so execute php. Give files as in the example on Habré, give pictures in approximately the same way. Store the file names in the database, and store the files themselves on the disk without extension and instead of the name you can use, for example, md5 hash.

Report
I
index0h, 2015-05-11
@index0h

1. Files must be stored in a non-public directory.
2. Access check - php part with return based on X-Sendfile or X-Accel-Redirect headers. Reading and serving with php is very expensive.
3. And of course, the rights to launch should be absent.

Report
M
marble, 2015-05-12
_

Everyone said it right, but they forgot one more thing - you need to filter the variables arriving at the server, because you can stuff the path into the file name, as a result, don’t protect it as a directory, but you can save the file in a different place, for example, in the root. This is how they often upload to the site through all sorts of fileuploaders that hold settings on the client side, for example in js, and of course, in this case, do not keep any settings in fronted scripts.

Similar questions
S
StayAtHome2015-04-01 12:24:02
How to distinguish a web request from a regular page from a request from the extension itself from a Chrome/Opera extension? 4Reply
V
Vladimir Karpenko2017-04-19 19:41:47
What if there are two databases in an ASP.NET MVC5 project: one is database first, the other is code first? 3Reply
Y
Yuri Kulaxyz2019-09-21 23:05:53
Why doesn't Laravel sort() work? 3Reply
J
Jan2017-05-08 08:56:20
How to pass data to popup (Angular)? 3Reply
P
Pashchuk Ilya2017-05-09 21:42:00
How to resize a block when dragging in css3 and html5? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question