PHP - Question about uploading & uploaded image file

I have read the following tutorial "Uploading Files To the Server Using PHP" and have several questions related to the topics.

Q1> The tutorial mentions that

"Note that PHP must have write access to $uploadDir or else the upload will fail"

For me, I only allow the user to upload the file after the user has login to the website. If we set that $uploadDir permission as 777, then everyone can have written permission to that folder. How to avoid this problems?

Also I am using WAMP as my testing bed, can I simulate the same case as a real web server?

Q2> In order to prevent Preventing direct access, the tutorial mentions:

"A better approach is to move the upload directory away from your web root. For example, the web root for this site is: /home/arman198/public_html/ to prevent direct listing i can set the upload directory to /home/arman198/upload/."

Now my problem is that how can I display t开发者_如何转开发he uploaded images on other website pages. Since, the upload is not accessible directly anymore? I need to display the uploaded image save personal headshot dynamically on other website page. Is it possible?

Thank you

---

It's a common problem.

All modern computers have a temporary files directory. On Linux/Unix it's /tmp, on Windows it's usually c:\temp. The OS install will have set permissions on that directory so that anyone can write files there but only privileged users can delete files that don't belong to them. This is where PHP will want to put an uploaded file; your application then has to move it elsewhere (this is the purpose of the move_uploaded_file() function). PHP under Windows may need upload_tmp_dir actually set in the php.ini file.

Once you have an uploaded file, you can shift it whereever you like, including to where the webserver can read it to serve it. The biggest problem with that it is awfully easy to put this directory inside your codebase. Don't do that. As soon as you do anything beyond editing the files inside the directory they are served from, it will be problematic. Trust me: I've dealt with a few times this in code I've inherited. It's easy to let your webserver load files from a location outside your codebase.

The other alternative is to produce a download script. That way the file need not be servable by the webserver at all. One disadvantage is that you don't get to leverage the web server's MIME translation, but then, that lets you control which types of image files are permitted.

---

For the second question, you can use a PHP script intead of direct access to the directory. Lets name it image.php. Lets assume that it can take a parameter id, like image.php?id=image_id. In that file you can get the id using superglobal array $_GET. Then you can search for images with that Id and just send it as response.

First one I'm not sure, but maybe play with .htaccess file.

---

And for the first question, try setting your permissions to 775. That should allow PHP to write the file to the directory without giving the general public write access.