What I’m Doing:
I basically need to create a website secured by a login page written in PHP that once logged in, you have a search bar that reads integers and the data is sent to a PHP script that retrieves an image with the number as its name.
(I’ll be storing a few thousand images on this server to be searched – inventory images)
–
What I need help with:
From my research, I understand that you “don’t” use databases such as MySQL to store actual images because of speed and inefficiency. If you don’t store it in a database, and you leave it on the server’s file system as suggested, if someone types a direct URL into an address bar, wouldn’t it bring them to the files on my server?
How do you protect against this. I wan’t no files on my server to be viewable without successfully going through the login page.
Thanks for any help, any insight or suggestions would be appreciated. This is important for me because more complex information will be added in the future.
A recommended way of handling file downloads via PHP (or any other script) is by using the so called ‘X-Sendfile’ response header.
The PHP script handles the authentication and once validated it will set a few response headers together with an ‘X-Sendfile’ that tells the web server to deliver a file; the script ends and the web server takes over.
See here for a simple example:
http://www.jasny.net/articles/how-i-php-x-sendfile/