I would like to build a multi user gallery using PHP

[uhello]

I am just now starting to plan an online gallery. I'm in the research phase right now, where I would like to gather whatever I might need to get it done. I'll describe what I am thinking and perhaps someone has pointers or constructive criticism on how I can organize myself.

 

This will be a multi user gallery. A user will simply be able to create an account and add or delete images to their gallery. I would like to avoid javascript if possible. The reason for that is that I do not need anything fancy in ways of display. In other words, I want my pages to be simple, flat and lean. Mostly html5 and php. The gallery will specialize in gif and png images. The reason for this is the style of art I would like to represent. It looks best when images are not compressed unless it's lossless compression. In other words, there is no need for fancy graphics libraries.

 

I would like to keep images in the users own folders. I don't want to encode images into a database, so I am not sure how a database would relate to the filesystem. Except for user authentication.

 

I'm a programmer but not a web developer. It's not necessary to go over how to program, so I am asking mainly questions about how to organize the code. Perhaps how to organize them into modules. For example, I know I will be using MySQL, so how many databases do I need. Should I keep user tables together with whatever else I need and etc. As I said, I just got a glimpse of web development.

 

I'm also looking for example code. Please don't throw a CMS at me. I said I was a programmer, but the last thing I want to do is take apart an already working system. The time to decipher something complete would be unnecessarily painful. I am looking for module like examples. I have seen hotscripts.com, which is a very nice website, but I'm not sure what I need from there.

 

There are many galleries on the web, but has anyone here ever done something like this? what recommendations do you have, what input do you have? Thank you in advance!

[justsomeguy]

If part of the goal is to do this yourself, then I would recommend putting together a little design document where you list out all of your features and things like that.

 

For the database, you only need 1. It will hold all of the information for the entire application. You would have 1 table that lists all of the user profile data, and depending on what features you want maybe a table for the categories or albums that users create, a table for images, tables to link up the images to albums (if you want to allow 1 image in multiple albums), and things like that.

 

As far as programming, split each feature up into small pieces that are easier to handle. Everything can be broken down into pieces that are small and easy enough to handle individually, where they go together to make the application. For example, a single feature might be uploading an image and adding it to an album and you can split that up into first displaying the upload form, then getting the submitted data, then doing error-checking and validation on the data and the file, moving the file, resizing the image if necessary, etc. Each of those is a single step that you can research to accomplish the goal of uploading an image to an album. That's the kind of stuff you need to break down into pieces.

 

Feel free to ask about specific pieces that you're having problems with. When you're designing the part about users registering and logging in, you should use PHP's password hashing functions to save the passwords:

 

http://php.net/manual/en/book.password.php

 

The password_hash and password_verify functions are how you save passwords in a database and then check them later. Don't save them as plain text or use your own hashing algorithm, the built-in functions will do all of that. There's a discussion about using them here:

 

http://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation/

 

Otherwise, break your features down into individual problems and start going through the tutorials to see how to approach each of them individually, and ask if you have other questions.

[uhello]

Perfect, thank you for that. After posting my question I was busy googleing and found an excellent starter php application. http://www.codingcage.com/2015/01/user-registration-and-login-script-using-php-mysql.html

 

I was wondering. The application is straight forward, I cut and paste it to get a start and it works perfectly on my localhost. After a successful test login I was able to come to a plain control panel which has nothing since it was only an example.

 

My question about this relates to the previous post by 'justsomeguy'. There is mention of linking images to albums and etc. If I allow the user to do file uploads to a directory? Can I keep the images separate from the database? In other words, I'm aware, that a file in a directory is "not" a file in the database. Simple enough, and it might be good enough for me. Do I need to use the database for anything related to the files in a directory? Is there something with the authentication system, that could represent some type of problem? Or am I simply using an authentication database then to allow access to the base filesystem (I ?think? that's what I want) right?

[Ingolme]

I would create a folder in the filesystem for each user and store the path to that folder in the database. It would be useful to base the folder name on the user's name, but stripping out any characters that aren't letters numbers and hyphens and making the name lowercase.

[justsomeguy]

Storing the actual binary image data in the database isn't the best in terms of efficiency. The web server is much faster just reading the image file from disk instead of from the database. It's typical to store only the filenames in the database and leave the files on disk. Other information that would go in the files table in the database other than the filename would be things like the user ID that it belongs to, maybe the date and time when it was uploaded, if you want them to have a caption or other description, etc. Storing the files on disk has its own implications, for example you might want to disallow direct access to the files and control access through PHP, or maybe just storing all of the images in a single directory or a per-user directory is enough for your needs.

 

You'll still want to use the database for things like separating files into albums and things like that. You do not want to build a folder and file structure where you name the folders after the albums, because you don't want user-supplied input going to the filesystem. Store the logical structure of your gallery in the database, the only thing you need to store on disk are the actual image files. All other data goes in the database.

 

Despite apparently being written last year, that authentication tutorial is virtually useless today. It uses techniques that were outdated over 12 years ago, and that code will not run in PHP 7 because it uses an ancient method of connecting to MySQL. The code is open to SQL injection attacks, which is still the #1 attack vector against websites, and he uses the single weakest method of password hashing (MD5). All in all, that kind of code would have been expected in the era of PHP 4 but today it's not worth it to learn what he's teaching.

 

Check the article above about saving and checking passwords, the password_hash function is decades ahead of using plain MD5 for password hashing. For accessing MySQL, if you find any tutorial that uses functions like mysql_connect or mysql_query, skip it and look for something else. Those functions are not included in PHP 7, and they have been deprecated for over 12 years. The modern way to connect to any database with PHP is to use PDO:

 

http://php.net/manual/en/book.pdo.php

http://codular.com/php-pdo-how-to

 

Pay special attention to the part about prepared statements, that's how you make your application immune to SQL injection attacks. You should never use data directly in a query like this:

 

$sql = "SELECT * FROM users WHERE username='" . $user . "'";

That is how SQL injection attacks happen. If you need to use data in a query then you use a prepared statement to first create the query, then pass the data to MySQL:

 

$statement = $db->prepare('SELECT * FROM users WHERE username = ?');
$statement->bindParam(1, $user);

If you're just starting out with PHP, then do yourself a favor and ignore any tutorial using the mysql extension. Any database tutorial should use prepared statements with either mysqli or PDO. The old mysql extension is not supported in PHP 7.

[uhello]

Directory structure in db - ok

 

Learn newer mysql functions - ok

 

Looks like I have something to start with, excellent!

 

I'll go through those links.

[justsomeguy]

I was looking through the comments on that article, the same author actually has one using PDO and the modern password functions:

 

http://www.codingcage.com/2015/04/php-login-and-registration-script-with.html

 

Even so, it would still be a good idea to read the articles I posted above just so that you better understand what you're using and why and how it works.