How to view images from protected folder

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

How to view images from protected folder

Postby lar » Sun Jun 03, 2012 1:42 pm

Hi out there!
I would realy appreciate help with the following problem.
I'm developing an application that shall view images from surveillance cameras uploaded to an password protected FTP-folder.
Outside this FTP-folder I have script that shall get the images and view them page by page.
The problem is, that I can't find any way to view the images from the FTP-folder while it is protected for public access.
(uploadImage.jpg is in my original script an variable that return one file at each iteration)

My file and script structure are like this:
mydomain/public_html/application/imageView.php
mydomain/publich_html/ftp/camera1/uploadImage.jpg

The camera1 must not be open to public access, while the script imageView.php shall be accessible via login script.
I'v also tried to place the /ftp/camera1/uploadImage.jpg folders at this place
mydomain/ftp/camera1/uploadImage.jpg
and unprotect them.
But there I cant reach the files at all.
As most of you guess, I suppose, I'm not very experienced PHP-developer.

I would realy appreciate some code sample for imageView.php that can view several image files in the same page, from a folder that has no public access, without that the user has to key in som unsername and password, more than the first login.

thanks in advance!
lar
lar
Forum Newbie
 
Posts: 3
Joined: Sun Jun 03, 2012 11:56 am

Re: How to view images from protected folder

Postby requinix » Sun Jun 03, 2012 4:46 pm

Unless there are file or folder permission problems, you can just look at it as a normal directory. Like
Syntax: [ Download ] [ Hide ]
$files = glob($_SERVER["DOCUMENT_ROOT"] . "/ftp/camera1/*.jpg");
Play with me! :D
User avatar
requinix
Spammer :|
 
Posts: 5376
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: How to view images from protected folder

Postby pickle » Mon Jun 04, 2012 2:15 pm

The first thing you should do is move your camera1 folder outside the document root (ie: below public_html). That way even if your security fails somehow, Apache is totally unable to serve up the images.

Assuming you can't do that, you can put an .htaccess file in the directory which denies all access. This way, any requests made from a user get denied. Accessing the files via PHP is not affected by the .htaccess file.

I think the easiest way to serve up these images is to use an image "proxy" file that you can reference like an image file:

Syntax: [ Download ] [ Hide ]
<img src = "/application/imageProxy.php?file_name_here.jpg" alt = "" />


That imageProxy.php file can then check if the user is authenticated and if so, go get the image data and output it to the browser.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
pickle
Briney Mod
 
Posts: 6418
Joined: Mon Jan 19, 2004 7:11 pm
Location: 53.01N x 112.48W

Re: How to view images from protected folder

Postby lar » Thu Jun 07, 2012 1:59 pm

Tanks requinix and pickle for your replays.

But I can't get any of them to work. Probably because I can't use your advice good enough.
About the code: $files = glob($_SERVER["DOCUMENT_ROOT"] . "/ftp/camera1/*.jpg");
I have tried to put the $files in the img tag like printf("<img src='%s' />",$files); and many other ways, with no success.
The path is completely ok, but no image come up in the webpage.

I have also tried a proxy.php script I found on the net, see below --- No success! :(
I put it in the tag: <img src="proxy.php?pic=0+backyard_DSC00004.jpg" alt="Loaded by proxy" /> and in many other ways, among others also <img src="<?php proxy.php?pic=0+backyard_DSC00004.jpg ?>" alt="Loaded by proxy" />, but no! Only the alt text appair in the webpage.
And when the proxy script execute, I get an error about the header is already sent, as the images shall be inserted in a regualr webpage which has a header.
proxy.php:
<?php
// define absolute path to image folder
$image_folder = 'systempath/public_html/ftp/camera1/';
// get the image name from the query string
// and make sure its not trying to probe your file system

if (isset($_GET['pic']) && basename($_GET['pic']) == $_GET['pic']) {
$pic = $image_folder.$_GET['pic'];
if (file_exists($pic) && is_readable($pic)) {
// get the filename extension
$ext = substr($pic, -3);
// set the MIME type
switch ($ext) {
case 'jpg':
$mime = 'image/jpeg';
break;
case 'gif':
$mime = 'image/gif';
break;
case 'png':
$mime = 'image/png';
break;
default:
$mime = false;
}
// if a valid MIME type exists, display the image
// by sending appropriate headers and streaming the file
if ($mime) {
header('Content-type: '.$mime);
header('Content-length: '.filesize($pic));
$file = fopen($pic, 'rb');
if ($file) {
fpassthru($file);
exit;
}
}
}
}
?>

So I would really appreciate som more specific help on this problem.

Regards lar.
lar
Forum Newbie
 
Posts: 3
Joined: Sun Jun 03, 2012 11:56 am

Re: How to view images from protected folder SOLVED

Postby lar » Wed Jun 13, 2012 1:00 pm

PROBLEM SOLVED

The image directory to which image files are uploaded from the IP-camera is now located above the document root, that is on the same level as the public html directory, where it is impossible for anyone to view them in a browser. Just as it is said in a comment above. Thanks for that advice!

In the document root, in a public directory below the public_html, is the "public" password protected php-file in which the images are viewed with this type of code:
<?php
..... php code that cycle through an array with all filenames in the image directory .....
printf("<img src='proxy.php?pic=%s' >",arrImage[x]);
...... the rest of the code ...........
?>

In the proxy.php file, that is located together with the "view file", is the variable $image_folder set to the system path of the image directory.
I have a "+" sign in my filenames, those are replaced by a space somewhere in the transfer from the printf statement to the $_GET-statement in the proxy file, so I had to restore this "+" sign by:
$pic = str_replace(" ","+",$pic);
Why the "+" is replaced by a space when used in the GET argument, I have no idea about.

And I also had to remove the: "&& is_readable($pic)" in the proxy.php because that stoped the execution of the script.
Why it don't work in my system (regular unix commercial web hosting) I have no idea about.

But with those adjustments it works perfectly well for me to view images from a directory which I think is completely unavaible for regular visitors, even if they of some reason schould come to know about the path to the image file.

Best regards
lar.
lar
Forum Newbie
 
Posts: 3
Joined: Sun Jun 03, 2012 11:56 am


Return to PHP - Security

Who is online

Users browsing this forum: mzelvinqqah and 5 guests