Hello,

I'm new to the PHP/MySQL world.
I found a really cool open source Photo Album on the Web... and I tried to install it on my Windows 2003/IIS6 server.
Everything went fine.

Now, I have one question.
Is it possible to run PHP code using a different user than the anonymous one (IUSR_<MACHINENAME>)?

Here's my problem.
The images used in my photo album are stored in a folder on my server hard drive. Inside the photo album, there's a security management that can prevent users from accessing some images. However, to be able to create image, I had to give "MODIFY" access on my images folder. So, If users bypass the PHP code, they can access the images by just typing the complete URL in a browser. (big security hole in my opinion)

In ASP.NET, we don't have to give access to the IUSR user since the user "NETWORK SERVICE" is used for running all ASP.NET code.

I was wondering if there's something similar in PHP?

Thanks!
Pascal

    The solution is to store your images outside of the web root, so that they cannot be accessed directly using a URL.

    For example, if your web root is C:\InetPub\www\ then store your images in C:\InetPub\data

    Most gallery scripts will have a setting for where the images are stored seperate to the gallery app.

    Adam

      7 days later

      Great idea!

      However, I checked, and I cannot store my images outside of my web root... the photo album doesn't let me (I have a setting to change the gallery path... but it must be inside the photo album folder).

      I ended up removing the read right inside IIS for the gallery folder only.
      So the IUSR user has access to the whole Photo Album folder, but can't access files inside the Gallery folder directly using a URL since he doesn't have read access.

      Thanks for your help!

      Pascal

        Write a Reply...