In another thread of mine (i.e. PHP Security on Server), ScallioXTX suggested storing all files which members upload to a directory outside of the Web Root.
When I asked him how to do that, I expected it to be a simple response. But apparently, it is much more complicated than expected!!
So I have two questions:
1.) Assuming that I already have a rock-solid upload script which does about 15 checks to make sure that an uploaded picture is indeed an uploaded picture and nothing else, how much extra security do I achieve by placing the uploaded picture outside of my Web Root?
2.) If I chose that design, then how would I get a script inside of my Web Root (e.g. “profile.php”) to display a photo/thumbnail stored in a directory outside of the Web Root?
(I think he mentioned something about “streaming”…)
Thanks.