We upload users avatar with their primary key name. avatars name are 1.jpg,2.jpg,3.jpg,... according to their primary key.
We implemented this to omit avatar field from database, instead with use their primary key to access their photos.
Is it vulnerable or I'm just too sensitive about it?
Asked
Active
Viewed 255 times
1
Alireza
- 1,280
- 1
- 20
- 26
1 Answers
1
Assuming (a) primary key isn't a secret in any way and (b) primary key is limited to filename-safe characters (which looks to be the case here as it's numeric), yeah, that's fine.
Naturally there are other security concerns with the content of user-uploaded images as outlined in previous questions.
The only other potential gotcha I can think of if you're moving this from a database BLOB implementation is that the database may be transaction-safe but the filesystem won't be. But as long as your application doesn't fall over when there's an avatar file missing that shouldn't be an issue.
bobince
- 12,494
- 1
- 26
- 42
-
My app does not fall over. I took good care of that. tnx @bobince – Alireza Dec 27 '11 at 13:10