I have 3 subfolders in an upload folder. My code looks like this:
if(isset($_SESSION["u_type"]) && $_SESSION["u_type"] == 3) {
$files = scandir($path."/3/") //$path is set somewhere above
//...
}
Its working fine, but you can actually add a simple html tag, like <img src="uploads/2/somathing.png/> and you can get any file from subdir 2 even if your "user type" is set to 3.
Is there a way to prevent it?
I alredy tried:
I'm using .htacces with Options- Indexes in it, but it only brevents direct listing of the files.
Yes, there is a way of doing this, it requires Apache webserver (for .htaccess files):
Add this to your uploads folder in .htaccess:
order deny,allow
deny from all
image.phpCreate a script named image.php and check your session in there:
(You might need to update this script to your requirements, this is a simple example which only supports jpeg).
<?php
session_start();
//check session for permission here!
$userTypeId = 1; //change this to requirements
header('Content-type: image/jpeg');
echo file_get_contents("uploads/" . $userTypeId . "/" . $_GET['image']);
<img src="image.php?image=yourimage.jpg" />
image.php?image=x.jpgYou can chose to rewrite this path with .htaccess so it seems as if there is no proxy .php script at work.
RewriteRule ^/a_chosen_path_name/([^\.]+)\.(png|jpg|gif)$ /image.php?image=$1.$2 [NC,L]
After which you can use:
<img src="a_chosen_path_name/yourimage.jpg" />