Upload locations inside the web root are very common so unless there’s a specific reason you need to hide the path then general images would be fine there. It’s also worth noting that profile avatar URL’s on this forum don’t give away the image location (you can still save the image though!).
The only time I’d store data above the root is if the files were somehow sensitive, such as documents that require payment (eg so you can’t access them via a URL)
I think some of the fear of leaving uploaded photos in the web root, is that a hacker could upload an “image” that is executable in some way, and if it is left in the web root, then a hacker could upload a nefarious image, and then execute it.
Yes, that’s most likely where the image.php script pulls in the image behind the scenes and applies the profile link dynamically without giving the image location away.
Possibly if there’s a vulnerability in a script, but it’s worth remembering hackers can get in in many other ways, the clever ones will probably be able to access folders above the root as well.
My 2c has always been upload the file, store it in a non-accessible temp path and keep the backing copy in the database. Cache out to disk from the DB on a separate, non-server-side-enabled host, to avoid that overhead of serving files out the db. This is more secure (no real hole for someone to upload and execute a malicious file) and more easily transportable (just a database backup, not a database backup + files).
Sure there are other ways to get in but having the ability to upload files to a predictable location makes a lot of very dangerous attacks interesting or possible.
Typically you need to store a file somewhere temporarily while things are processed – the place to do that is a non-web accessible temporary path of some sort. More power if you can keep it in memory and never touch the disk.
Backing copy means the master copy of the file, the one you backup, the one you can recreate any artifacts from if need be.
The reason I suggest caching the files out on disk (or a real CDN) is that serving files out of the database can be a brutal performance issue, even at small scales so it is best to architect around that.
How hard would it be for a mere mortal like to to code such a solution? :-/
It sounds really, really complicated and like it would be over my head…
If I understand what you are saying, when a user uploads a profile picture, I would store it in the database, and then when some other user visits said member’s profile, my code would retrieve the profile picture from the database and write it to another server - or at least a location outside of the Web Root - to some “file server caching location”.
That way, there would only be a database hit once, and any further profile picture requests for said member would be fulfilled by the “file server caching location” - which is some secure, not easily hacked area - instead of beating up my poor database.
This isn’t really particularly difficult to build – you just separate the ingest and egress parts of the upload and image serving process. You did pick up the gist of it.