Home/ Questions/Q 8545183
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T12:44:08+00:00

I run a web app where I store the users’ uploaded files in a

  • 0

I run a web app where I store the users’ uploaded files in a folder structure like: 

www.mydomain.com/uploads/topsecret/1/001.jpg
www.mydomain.com/uploads/topsecret/1/002.jpg

Now, it’s very easy to guess the urls for 003.jpg and 004.jpg …

Therefore, I want to restrict user access to only http://www.mydomain.com/app/, and nothing else.
Only my .php pages on localhost should be allowed to get to the top secret pdfs, like 

show.php:
<? if ($isAdmin) {
    echo "<img src='http://www.mydomain.com/uploads/topsecret/1/001.jpg'/>";
 } ?>

Maybe there is a solution via .htaccess or via folder permissions. I know I could fix the problem via “headers” and “readfile”, but that would cause a bit of refactoring now.

Thank you in advance,
Matthias

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Some clarification: when you do an

    echo "<img src='....'>";

    PHP access doesn’t matter (in fact it will work even if PHP doesn’t have access to the file!). The first step is to realise, that it’s the browser that makes the request for the image. So if the browser can access it, the user can access other images by guessing the name of the image. This would even work if you serve the images with readfile from PHP. That’s why I wrote that you’re trying to solve the problem the wrong way.

    What you can do, is to obfuscate the image names (or the request variable you send to your PHP script). Eg: use a salt + MD5. That way users cannot guess the names.

    • 0