Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    Regular Coder
    Join Date
    Sep 2011
    Posts
    366
    Thanks
    39
    Thanked 0 Times in 0 Posts

    How to encrypt URL?

    Hello, I have made a simple website for people to upload images. These images are saved in a folder called "upload/" in the directory. When a person uploads an image, he gets also the link of the image. However I want that when the link of the image to be secured so that the users do not know my folder where the images are being stored.

    For example, the current url is like this:

    http://www.example.com/upload/xxx.jpg

    I want it like:

    http://www.example.com/j5g68g5f78v41ht55

    I have used base64_encode, but it is now I have learn it will not work..as it is not an encryption function. Well, I just want my url of the respective image to change that's all, I don't want people to know which folder is storing the images... Thank you
    Last edited by angelali; 02-27-2012 at 02:24 PM.

  • #2
    Regular Coder
    Join Date
    Jan 2012
    Posts
    134
    Thanks
    0
    Thanked 32 Times in 32 Posts
    You can't really encrypt a URL. You can use PHP to help obfuscate it by creating something like this:

    http://www.example.com/image.php?image=xxx

    You can then set the proper headers and echo the contents of the image file (from the proper folder) to the browser.

    My real question is whether or not this is actually useful. "Security through obscurity" isn't security at all. Does it matter if users know the location of your upload directory? Use Apache to turn off directory browsing. If the files themselves need security then you'll have to do a little more work than modifying the URL.

  • #3
    New Coder
    Join Date
    Sep 2011
    Posts
    80
    Thanks
    0
    Thanked 13 Times in 12 Posts
    Best thing to do is to store the file outside the working web directory and then use a combination of PHP and htaccess to retrieve the said file and display it to the user.

    As mentioned though the best security is sanitisation, obscurity should never be relied upon, and only used to make it more difficult to feel out the system.

  • #4
    Regular Coder
    Join Date
    Sep 2011
    Posts
    366
    Thanks
    39
    Thanked 0 Times in 0 Posts
    Well I think I have used a strong word lol, "Encrypt". I meant I only want the URL to be like this as on most sites where you upload to download are like this. They don't show the folder directory...etc...

  • #5
    New Coder
    Join Date
    Sep 2011
    Posts
    80
    Thanks
    0
    Thanked 13 Times in 12 Posts
    look at sha1(), it's a hashing algorithm rather than encryption. It's 'one way' encryption but that shouldn't matter unless you rely on the original file name.

  • #6
    Regular Coder
    Join Date
    Sep 2011
    Posts
    366
    Thanks
    39
    Thanked 0 Times in 0 Posts
    I know this, and I dont know if MD5 will do the job even it is also an encryption. Because the user will use the link to copy on their website, so the image should appear...

  • #7
    Regular Coder
    Join Date
    Sep 2011
    Posts
    366
    Thanks
    39
    Thanked 0 Times in 0 Posts
    go on this link, the image hosting is online..on a free hosting..just register and see it..

    mini-image-hosting.99k.org

  • #8
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Any type of technique to create a random value is sufficient. I'd suggest either choosing a hashing algorithm such as sha1 or variant version, or using uuid generation. So long as its unique or low value of collision, then it will work fine.
    Then you simply store that key to a path in your database or a file. You serve it up as image.php?id=thatid. To remove that part, you'd use rewrite to convert just the /sha1|uuidtype into that of image.php?id=sha1|uuidtype. That will give you the effect you are looking for.

  • #9
    Regular Coder
    Join Date
    Sep 2011
    Posts
    366
    Thanks
    39
    Thanked 0 Times in 0 Posts
    By the way, I want your opinion, even if I don't do it, is it a security problem? Normally, I have not granted the folder to be accessed as Public, and the users cant go to the folder.. I have made a function also that if an image which has the same name to be refused, so the user will have to change the image name..

  • #10
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Since you'll need to use a database or some method of tracking the image hash to the path, you can also assign "ownership" to someone and base your security around your authentication. I don't see a purpose of this if that is the case though; my assumption was that the file is to be available to anyone with the name. As for naming, it will be irrelevant since you can change the name to anything you want.
    Security wise, make sure any uploaded file is not in a published directory; move it above your web root.

  • #11
    Regular Coder
    Join Date
    Sep 2011
    Posts
    366
    Thanks
    39
    Thanked 0 Times in 0 Posts
    I think I will leave it like this... I mean I will not put any type of hiding features for the link.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •