Hey everyone just newly registered here after a few months of lurking . I'm just wondering how you all deal with allowing users to upload photos to your site. My main questions being:

How do you stop users uploading incorrect files eg. exe's instead of jpg's etc?
Do you allow them upload it straight to a Db or just the link to it in the Db?
Do you have a function to rename the images so they can be displayed on your site?

Hopefully not a stupid question

Thanks.

The first question I'd ask is which technology are you using?

Are you using PHP, Perl, ASP, ASP.net?

__________________
Hosting & Domains|Plesk Vps Hosting|Blog Tips|Films.ie|Gadgets|Monetisation Tips|Movie Chat


Energise your forum! Click here for info

oops sorry meant to post this at the end........

I'm using PHP with a MySQL Db.

My way ...

writeable directory

1. Check who the user is ... are they allowed to upload ?

2. RTFM (blunt but ... ) PHP: Handling file uploads - Manual it gives you pretty much everything you need to know

3. I don't recommend storing files within the database. The overhead of all that data being read from the database is pretty crazy. It bloats your database it isn't friendly you've got to write scripts to handle files and do a lot of unnecessary crap.

4. Your database should contain a table giving userID, Filename, validated

And away you go ...

store the files outside of your root webfolder preferably if memory serves correctly you want to use fpassthru or similar to grab the files. This is assuming of course the files are "sensitive"


Other steps...
Limit file size they are allowed to upload..
You could try checking the extension of the files they upload.

Then you could try to determine if its an image with the getimagesize function ... if its not .. junk it ... and report the error ...
PHP: getimagesize - Manual

hope thats of some help ...

__________________
Forbairt Media | Web Design & Development Galway / Dublin, Ireland - coming soon ... ( vague but descriptive isn't it )
Recent Work: Safari Club African Safari Holidays - South Africa Safaris
Other Stuff: FluffyLinkulator Rapid Inclusion Service Tools

Cool thanks, just trying to get an idea of the different ways I can do this. Thanks Forbairt.

no problem

depending ... on how important security is ...

you could just upload the files to a directory with a random magic number that you give the user so they can access their file. You can store this name in the database if you want with a reference to the user id ...

Its not secure but guessing the filename could be close to impossible ... you could of course monitor network traffic to see what files are being accessed but that'd be complicated and require a lot more access / knowledge

the method of storing them with a magic number filename or similar would mean you won't have to pass the file through a php script or similar which on a busy site would mean a lot less overhead.

ya, i got burned a few weeks ago... a malicious file was uploaded to my dir showing all my vulnerabilities

__________________
Web Development Cork | Music News | Irish Kendo | Cork Martial Arts

ouchies

Windows or Linux system ?

unix

damn ... ... uploaded a php file or something like that ?