Question
I have developed a script to upload & delete images. The images will be saved to a directory like webroot/images. The file names relating to each users upload will be saved in the database when a publish button is clicked. Until then the images will be uploaded in order so that I can show a preview. All seems to work fine except a security vulnerability that allows users to delete other users images. Eg: Any user can copy the file name of an image & inject it to the delete script. Is there any mechanism to prevent this issue.
Hope this explanation isn't boring, its a little hard to explain.
Solution
In the database table that stores the image filenames, add a field for the user_id that owns the image.
When the delete action is invoked, lookup in the table to see if the current logged in user is associated with the image that they are trying to delete. If the user_id in the table doesn't match the logged in user then do not allow the delete.
OTHER TIPS
You have to change the file name of image before uploading. Timestamp is best in this case. For security concern, while deleting image you have to check the file is owned by current user or not.
https://stackoverflow.com/questions/19174658
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian