I am building a small web app that will allow a logged in user to upload product pictures. I’m trying to build-it-right, and after some naive implementations in the past, decided to add all uploaded content in my public folder.

\app (public folder)
-\index.php
\includes
\config
\uploads

This would make it so if a malicious user managed to upload a PHP file it wouldn’t be reachable or served by server.

That being said, how would I go about serving these pictures on the webpage? What is the best way to do this? In the past I’ve used a getImage.php file that would take an ID parameter (and a hash of some generated value to avoid users just guessing IDs) which would look like “getImage.php?id=555&c=44j54k3h5”. The server grabs the image information in the DB (the real path) and loads the content, rebuilds the header, and sends the image.

Are there any security concerns regarding this method? Is there a way to make it prettier? Would having a htaccess rewrite rule that looks for /images/imagename.jpg and sends them to my getImage.php file add security holes? Any advice on best practices would be greatly appreciated.