I have a question regarding the security of my new web zine. The
idea is that I have editors that can log into the site, and then upload
comics in the form of a jpg. The way that I have this set up right now
is that the jpg is submitted through a form and then placed into the
authors sub directory in public/comics/. The record of the jpg is
stored in a pendingcomics table in the database. The administrator has
to come in and authorize the comic, which moves the record from the
pendingcomics table over to the public_comics table so that it can be
viewed by the rest of the world.
Now the problem. Is this secure enough? What if one of my editors
forgets to log out and someone hi-jacks the account and posts a ton of
pron. Now its true that these are not immediately available to the
public, however, if someone knows the name of the files that were
uploaded, can they be retreived directly from the public/comics/id/
One possible solution I thought of was to rename the file uploaded
with random jibberish, and simply hide the image from the author untill
it is authorized. Please give your thoughts on this.
Thanks for any help.