Home/ Questions/Q 8293671
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T13:54:27+00:00

After doing research, I found that it is more recommended to save the image

  • 0

After doing research, I found that it is more recommended to save the image name in database and the actual image in a file directory. Two of the few reasons is that it is more safer and the pictures load a lot quicker. But I don’t really get the point of doing this procedure because every time I retrieve the pictures with the firebug tool i can find out the picture path in the file directory which can lead to potential breach.

Am I doing this correctly or it is not suppose to show the complete file directory path of the image?

PHP for saving image into database

$images = retrieve_images();
    insert_images_into_database($images);

    function retrieve_images()
    {        
        $images = explode(',', $_GET['i']);

        return $images;
    }

    function insert_images_into_database($images)
    {
        if(!$images) //There were no images to return
            return false;        

       $pdo = get_database_connection();

        foreach($images as $image)
        {

            $path = Configuration::getUploadUrlPath('medium', 'target');
            $sql = "INSERT INTO `urlImage` (`image_name`) VALUES ( ? )";

            $prepared = $pdo->prepare($sql);
            $prepared->execute(array($image));
            echo ('<div><img src="'. $path . $image . '" /></div>');
        }
    }
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    One method to achieve what you originally intended to do by storing images in database is still continue to serve image via a PHP script, thus:

    1. Shielding your users from knowing the actual path of an image.
    2. You can, and should have, images stored outside of your DocumentRoot, so that they are not able to be served by web server.

    Here’s one way you can achieve that through readfile():

    <?php
// image.php

// Translating file_id to image path and filename
$path = getPathFromFileID($_GET['file_id']);
$image = getImageNameFromFileID($_GET['file_id']);

// Actual full path to the image file
// Hopefully outside of DocumentRoot
$file = $path.$image;

if (userHasPermission()) {
    readfile($file);
}
else {
    // Better if you are actually outputting an image instead of echoing text
    // So that the MIME type remains compatible
    echo "You do not have the permission to load the image";
}

exit;

    You can then serve the image by using standard HTML:

    <img src="image.php?file_id=XXXXX">
    • 0