help needed, securing a folder

[RFH Reseller: nick]

Your thumbnails page would be coded just as any other page on your site, you just reference the images via the image script.
eg (html mark-up).

Code:

<img src="display_image.php" title="my image" />

if you are piping many images through the one script, as you are, you would obviously need to append the query string arguments onto the path, that would be used by your script to determine which image to display.

You could further clean up all the paths visually using URL rewriting, but that is one for another thread.

so, you may end up with something like this:

Code:

<ul id="thumbnails">
  <li>
    <img src="display_image.php?id=1" title="one image" />
  </li>
  <li>
    <img src="display_image.php?id=2" title="another image" />
  </li>
  <li>
    <img src="display_image.php?id=3" title="last image" />
  </li>
</ul>

[RFH Reseller: Space Cowboy]

aahhhh.... brilliant, thanks for that. I guess I was looking at it the wrong way.

Just one thing, how do I get my php file to change the images based on the variable in the URL?

I have tried the following but it doesnt work.... ($urlNumber is whats the variable in the URL path.

PHP Code:

<?php
$urlNumber= $_GET['urlNumber'];
&#12288;
$filepath = D:\aimhigherhumber.org\student\$urlNumber.jpg

$fp = fopen($filepath,'r'); 
header('Content-Type: image/jpeg'); 
header("Content-Length: " . filesize($filepath)); 
header('Content-Disposition: inline; filename=image.jpg'); 
die( fpassthru($fp) );
?>

[RFH Reseller: nick]

PHP Code:

if ( !isset($_GET["urlNumber"]) ) {
  die("no image specified");
}

$filepath = "D:\\aimhigherhumber.org\\student\\" . (int)$_GET["urlNumber"] . ".jpg";
[...] 


Should work, provided the real images are named like this. Also note that I have cast the urlNumber value as an int. If you are expecting an integer, this is the quickest and easiest way to prevent someone abusing the script and grabbing files from all over the file system, which would bad. Always be super weary about dealing with any user input, as I'm sure you know.

I'd normally approach this sort of problem myself by having the script take in some sort of identifier, such as the urlNumber you are passing, but then using it to look up the real file path from a database, or an equivalent, and at the same time handle cases for unauthorised users and requests for non-existent files etc.

It is more than a few simple lines of script to handle this sort of problem elegantly, but if the above gets enough done for you, then great.

[RFH Reseller: Space Cowboy]

Thanks Nick, thats all great! Now just need to figure out how to upload something to a directory outside the root directory.

below is my code, the part in red is the area in which handles the upload. I have tried adding the physical path, but its not working and I guess maybe the same as before in which it might be looking for the physical address on my hard drive as opposed to the server?


//This variable is used as a flag. The value is initialized with 0 (meaning no error found) and it will be changed to 1 if an errro occures. If the error occures the file will not be uploaded.
$errors=0;
//checks if the form has been submitted
if(isset($_POST['Submit']))
{
//reads the name of the file the user submitted for uploading
$image=$_FILES['image']['name'];
//if it is not empty
if ($image) {
//get the original name of the file from the clients machine
$filename = stripslashes($_FILES['image']['name']);
//get the extension of the file in a lower case format
$extension = getExtension($filename);
$extension = strtolower($extension);
//if it is not a known extension, we will suppose it is an error and will not upload the file, otherwise we will do more tests
if (($extension != "jpg") && ($extension != "jpeg") && ($extension != "png") && ($extension != "gif") && ($extension != "doc") && ($extension != "docx") && ($extension != "mdb") && ($extension != "mdbx") && ($extension != "mp3")&& ($extension != "ppt") && ($extension != "pptx") && ($extension != "xls") && ($extension != "xlsx") && ($extension != "pdf")) {
header ("Location: http://" . $_SERVER['HTTP_HOST'] . "/messages.php?message=8");
exit();
$errors=1;
} else {
//get the size of the image in bytes $_FILES['image']['tmp_name'] is the temporary filename of the file in which the uploaded file was stored on the server
$size=filesize($_FILES['image']['tmp_name']);
//compare the size with the maxim size we defined and print error if bigger
if ($size > MAX_SIZE*1024) {
header ("Location: http://" . $_SERVER['HTTP_HOST'] . "/messages.php?message=9");
exit();
$errors=1;
}
//we will give an unique name, for example the time in unix time format
$image_name=time().'.'.$extension;
//the new name will be containing the full path where will be stored (images folder)
$newname="students/$MemberIdentification/".$image_name;
//we verify if the image has been uploaded, and print error instead
$copied = copy($_FILES['image']['tmp_name'], $newname);
if (!$copied) {
header ("Location: http://" . $_SERVER['HTTP_HOST'] . "/messages.php?message=0");
exit();
$errors=1;
}


}
}
//If no errors registred, print the success message
if( !$errors) {
if ($extension == 'jpg' or $extension == 'gif' or $extension == 'jpeg' or $extension == 'png') {
$filename = "students/$MemberIdentification/$image_name";
$fileout = "students/$MemberIdentification/thumb-$image_name";
$newxsize = 200;
$newysize = 150;
$src = imagecreatefromjpeg($filename);
$dst = imagecreatetruecolor($newxsize,$newysize);
$size = getimagesize($filename);
imagecopyresampled($dst, $src, 0, 0, 0, 0, $newxsize, $newysize, $size[0], $size[1]);
imagejpeg($dst,$fileout);
}
$mediaTitle = $_POST['mediaTitle'];
$sValue = $_POST['FCKeditor1'];
　
if ($mediaTitle and $sValue and $newname) { //--CHECK ALL REQUIRED FIELDS ARE FILLED IN
} else {
header ("Location: http://" . $_SERVER['HTTP_HOST'] . "/messages.php?message=3");
exit();
} //--END CHECK ALL REQUIRED VARIABLES
　
//--INSERT INTO DATABASE
$Insert = "INSERT INTO forum_media (media_author, media_title, media_description, media_url, media_url_thumb, media_extension, media_approved)
VALUES ('$MemberIdentification','".mysql_escape_string($m ediaTitle)."','".mysql_escape_string($sValue)."',' $newname','$fileout','$extension','0')";
$result = mysql_query ($Insert);
$NewMediaID = mysql_insert_id();
if ($result) {
header ("Location: http://" . $_SERVER['HTTP_HOST'] . "/profile-mediaApproval.php");
exit();
}
}
}

[RFH Reseller: nick]

You want to use the

PHP Code:

move_uploaded_file() 


function to move the file from the temp directory to the destination.

You seem to be specifying a relative path for $newname, I suspect that is why the file copy isn't working.

[RFH Reseller: nick]

Thought I'd post this link to the PHP Manual, in case you haven't read through it yet.
PHP — Handling file uploads