My php script allows users to upload images and stores them in a directory in the same server. Is there a security or performance advantage when transferring user uploaded files to a remote server on a different FTP account?
I imagine that it’s more secure to store uploaded files on a server that isn’t in the same directory with my php scripts and connected to my database. What are your thoughts? Advice on how to properly use a remote server is welcomed.
Note: I plan to use Codeigniter’s FTP Class to handle all transfers and I’m saving image URLs to the remote directory in mysql.
It is no more secure than storing them on the same server as users can execute your PHP scripts as long as they know their locations. They can find a PHP script’s location very easily without know it already (and without seeing images in the same directory).
You will see a decrease in performance (possibly very noticeably depending on how often you access emails) and won’t see an increase in security.
If you don’t want users to be able to execute your PHP files, you can change the read/execute capabilities of users in specified directorys (you could just put your PHP files outside of the folder with the photos if you want the users to have access to the images without having access to the PHP files)
If you are worried about users uploading files you don’t want them to upload, you can limit the types of files they can upload by either saying “these file types are not allowed” or saying “only these file types are allowed” and checking with PHP when the file is uploaded.