为了安全起见,使用php回声/打印jpg图像? [英] Echo/print a jpg-image with php, for safety?
问题描述
由于安全(检查用户是否已登录),我在显示图像时调用php文档。
Because of safety (check if user are logged in), I call a php-document when showing images.
<html>...
<img src="showImage.php?id=455" />
...</html>
showImage.php:
<?php...
if($_SESSION['user']){
//Get the src to the image
$_GET[$id] = mysql_real_escape_string($_GET['id']);
$result = mysql_query("
SELECT src
FROM Media
WHERE id = '".$_GET['id']."'
");
$data = mysql_fetch_assoc($resultat);
// Output the image
header('Content-Type: image/jpeg');
echo(file_get_contents("media/".$data['src']));
}
...?>
执行此操作时,我希望用户永远不会知道图像的直接网址,并在尝试时要显示图像,用户必须登录。
When doing this, I hope the user never will know the direct url to the image, and when trying to show an image, the user has to be logged in.
我不确定这是最好的方法。有没有更简单/更好的方法来做到这一点,这是安全的。当脚本回显时,它有点慢。
I'm not sure this is the best way. Is there a more simpler/better way of doing this, and is this safe. When the script is echoing, it's a bit slow.
- 我希望图像安全(只有登录用户才能访问图片)
- 我希望图片尽快显示
期待所有专家提示。
推荐答案
首先,不要用 file_get_contents 来读取文件code>,只有这样,回显其内容,你可以使用
readfile
:它将在一次调用中执行两个操作 - 这可能是最快的并且使用的内存少于:
First of all, instead of reading the file with file_get_contents
and, only then, echoing its content, you can use readfile
: it will do both operations in one call -- which will probably be fastest and use less memory than :
- 使用
file_get_only
- 将整个文件加载到内存中,然后将该内容发送到outout
然后,如果您只想识别可以访问图像,那么您没有太多选择:如果您识别机制基于PHP,你必须通过PHP来限制对文件的访问 - 这比使用Apache直接提供内容要慢一些。
Then, if you only want identified to have access to the images, you don't have much of a choice : if you indentification mecanism is based on PHP, you'll have to pass by PHP to restrict access on the file -- which, yes, will be a bit slower than if using Apache directly to serve the content.
另外:在这里,你说:
Also : here, you say :
我希望用户永远不会知道
直接网址到图像
I hope the user never will know the direct url to the image
读这个,我想你的图像可以通过Apache直接访问,绕过你的PHP脚本,如果有人知道他们的网址;默默无闻的安全性并不好。
Reading this, I suppose that your images can be accessed directly via Apache, bypassing your PHP script, if someone knows their URL ; security by obscurity is not good.
一个更好的解决方案,如果你不希望你的图像由Apache提供,那就是将它们放在Apache的目录中不会提供任何服务:
A better solution, if you don't want your images to be served by Apache would be to put them in a directory from where Apache will not serve anything :
- 您的文档根目录的子目录,受包含<$ c $的.htaccess文件保护c>拒绝所有
- 或不在您的文档根目录下的目录,因此,Apache永远不会提供服务。
无论哪种方式,这只能确保您的脚本只能访问文件,而不能直接访问Apache - 这意味着用户不会绕过脚本。
Either way, this ensure only your scripts can access the files, and not Apache directly -- which means not a user bypassing the script.
关于性能问题的另一个想法可能是指示浏览器它可以缓存你的图像 - 至少,如果这是有道理的。
Another idea, about the performance problem, might be to indicate the browser that it can cache your images -- at least, if that makes a sense.
例如,您可能会对HTTP标题感兴趣,例如Etag和/或Last-Modified。
For instance, you might be interested by HTTP-headers suchs as "Etag" and/or "Last-Modified".
这篇关于为了安全起见,使用php回声/打印jpg图像?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!