Develop Reference

Protect image directory

I`m looking for some solution which will make my directory with pictures secured.
In my page only Administrator have permission to upload the pictures. User have opportunity only to view a picture for products. I want to make directory more secured. I want to make it difficult to download all pictures from some kind of scripts.
For now I tried with .htpaccess and .htpasswd it work fine but when User trying to see the product page(where are available pictures form secured folder) htpaccess is requiring a username and password.
Is it possible to enter username and password to this directory from server side when user is watching the product page. And in case that he open a link of the picture in new window then user name and password is required?
Do you know some other solutions?
Cheers

Don't store the images in your web folder where everyone can access them. Instead, store them outside of the web path (for example in app/data or so) and use a symfony controller to deliver them. This way you can use the symfony security component.

In addition to good answer by #Pierre, you can use a filesystem abstraction layer. I'd recommend using Gaufrette. To integrate it with Symfony, you could use KnpGaufretteBundle.
It will give you way more flexibility as
using external filesystems (ex. Amazon S3, FTP, sFTP)
use Symfony Security component or ACL.
Everything depends on your need and your approach in the project. However, if you need some flexibility, I'd recommend try it out.

Saving images from a website and accessing it from another website

I have created a website let's name it a.com. Now in this website (a.com) the users can upload an image that gets saved to a folder on remote server and the path is getting saved to database.
There is a second website (b.com) which has been hosted on the same server where the image needs to be retrieved.
Can we do this? If yes then please suggest some solution
Language Used = Asp.net 4.0 C#
Backend = SQL2008

It cane be done, if both website can access the remote folder. You need to use something like System.Net.WebClient to download image from remote server.

Since your using SQL and .Net im going to assume your using IIS aswell,
Creating a Virtual directory is probably your best bet, Easy to setup, easy to manage and Extremely handy to understand (if not vital)
http://www.iis.net/learn/get-started/planning-your-iis-architecture/understanding-sites-applications-and-virtual-directories-on-iis
This is assuming you want to display the image in b.com, if you simply want to retrieve it you can do so by retrieving the path and using the image in any other way, you may need to set permissions on the image folder.

first of all both sites should use the same database to share information about images.
If I understand correctly b.com and the files are on the same server. If so put folder's virtual path to configuration.
After that, check database for new records. If found one, parse the name of the file and find it on the server.
As an example you get an image on a.com and insert it on database as
name="image.jpg"
b.com checks database for new records and finds image.jpg.
b.com reads configuration and finds
path="http://c.com/"
combines path and imagename
fulllink="http://c.com/image.jpg"

Where to store images for albums?

I am creating a module of my website where I can display images in "albums", much like facebook.
For storing/grouping images, I planned on having them in the ~/Images folder inside my application's structure. Is this considered bad practice, or will it open up my application to any security vulnerabilities? I read that you shouldn't place things like this in your site structure, but I don't quite understand why (or if this is the same scenario).
Therefore, albums would be grouped as...
~/Images/album1, ~/Images/album2, etc.
Is this an appropriate thing to put inside App_Data, or is there a more 'preferred' location for things such as this?
Sorry if this is a trivial question.

All three of the answers here are good. There is no preferred storage for uploaded images, it's all up to you based on your requirements.
As Henhealg says, don't store them in App_Data. If you put them here, they will not be accessible from the web. For example, the following would not render an image even if the path was correct:
<img src="/App_Data/album1/image1.png" alt="" />
One option is to have your local ~/Albums directory mapped to a different folder accessible to the web server, like sylon says. This keeps the images out of the directory where your MVC app is served from, but "pretends" that they are there. If you control IIS and can set up a file share, this may be an option for you.
Also, like XToro says, storing them in a SQL database is an option. Storing here is flexible because you don't have to worry about folder or file name collisions. Multiple users can each have albums and files with the same names, yet they won't collide because they don't occupy filesystem space the same way normal files do. If security is important to your app (not showing photos or albums to unauthorized users), having them in a SQL table makes this fairly easy.
However if you are not as worried about security or file naming collisions, you can just as easily store them in your MVC app's ~/Images or ~/Albums directory.

Depending on the performance of your server, you may want to consider storing your images into a database using BLOB
https://dev.mysql.com/doc/refman/5.0/en/blob.html
Images can be easily sorted, organized, categorized without the need to worry about folder structures and folder permissions. Simply use your PHP/AJAX/language of your choice to provide the authentication and choose which files you wish to display.
This way, each image can have it's own fields (as many as you want) like the user who posted it, the original filename, a caption, the album it belongs in etc etc

Since you can easily as a user check where the images are stored once the application is in production, where you store the images does not matter as much as what permissions you set to the folder(s) that the images are stored in.

I would use file system as you are saying but store it outside of the application folder as you are saying it is bad practice. I agree with this - when i do deployments I prefer to delete everything and drop in the new code and keep the web.config file that way I always have a clean environment and it is much easier to get started from scratch without having to worry about what I need to back up or bring from previous install.
I would use IIS to map the directory into my solution wherever I desire from a network share storage or whereever you want to safely keep your albums.
e.g. D:\MySafeStorage\Albums\ map to your website's ~\Albums\ when your website is in C:\inetpub\MyWebSite\

In which folder can I store user uploaded images

I've a classified ads system on ASP.NET/c#/MS SQL, and I'm trying to figure out where to store the images that people upload when placing an ad. The ad itself is being stored in a SQL server database.
The images are now being stored in a subfolder of my webapp. It seems to work fine, however I only recently discovered a big problem. Everytime a user deletes an ad, the attached images are to be deleted as well including the folder they reside in. This leads to a restart of the asp.net application. I searched internet and found that restarting the web-app is actually intended behaviour when a subfolder is being deleted.
Obviously, I need to fix this. But how to do that? Where can I store images in such a way that:
I can remove these images including the folders they are stored in?
I can acces them using a URL (the images need to be shown in the
webpages)
Without getting the web-app being
restarted?
Any feedback is appreciated!
Paul

See this question Deleting a directory results in application restart
An other alternative would be to store the images in the DB instead.

Another option would be to put the images in a directory completely unrelated to the web site then serve the images through a scripted page or handler. It would make all of your image urls look like mydomaincom/serveimage.aspx?imageid=323422, but unless you're counting on the name somewhere that really shouldn't matter much. Obviously it would require a modification to the page that serves the images in the first place as well, but if sub directories of this unrelated directory are deleted IIS really shouldn't care at all.

maybe you can store the images in SQL (check at the filestream feature in this case)
if not, I suppose you have somewhere in a business facade class, a service class or wherever you want, a methode "DeleteAd".
This method will have to do two things :
-delete the sql data
-delete the file image
also, you may change the image store to another folder, outside the web app. You will probably end with writing a custom handler (myhandler.ashx?fileid=XX) to serve the files, or a custom route and control if you use MVC.

Flash uploader and ASP.net MVC

I have a flash upload component I want to use to upload multiple files. I'm using it in a MVC app and what I want to happen is that the user picks the files they want to upload, it uploads them and then displays a page showing all the files they have uploaded so they can add a description and select where to save them, and then save the files.
At the moment when files are uploaded the flash component calls a controller to process the files, this bit works fine, I can get the uploaded files and do what I like with them. The problem is is that I cannot just redirect to a View once the controllers done its work, because its the flash component calling the controller, not the page and so nothing happens when you try and do that.
I had attempted to save the files in the session and then forward the user on completion of the upload using some code in the flash actionscript, this however does not work, the session always turns up null. I had also considered actually saving the files to a temp location and then on the displaying page just listing all files in the temp location, but this is then going to involve saving the files twice, once to the temp directory and then to the actual place the user wants to put them, which I assume will be slow.
Any thoughts on the best way to do this?

Is your site using cookie based authentication? If so then the flash uploader needs to include the authentication cookie when uploading otherwise the upload will be seen as coming from a new user - this would explain your null values in the session state. If you are unable to get flash to post the cookie then you'll have to identify the user within the upload URL.
You should keep session state to a minimum or even better not use is at all so storing large amounts of data such as images in it is a bad idea.
With our applications we save all uploaded files to the database and then give them a unique Guid that is then used to retrieved/display them later. Within the database images could be associated with a user and in your case be marked as just uploaded so that when you redirect the user to the additional information page you know which images to display.
but this is then going to involve
saving the files twice, once to the
temp directory and then to the actual
place the user wants to put them
In relation to where the files are saved on the server you should not be allowing the user to determine where the files are saved.