Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
What about images that are user-uploaded?
Is it safe to put all of them inside /public/images?
Website images in public directory.
If dynamic (user uploads in general) should be in storage/app/public if they're publicly available. Other than that should be in storage/app/*.
PS: I'm assuming that you're uploading images on the server and not using a cloud service like AWS S3.
if they are part of your code base put them in a folder off /public
If they are not part of your code, and uploaded by users or fetched dynamically, they should be in storage/app.
Basically what @mohamedtammam said but reinforcing the rule about the image being part of your code or not
Thank you so much! Now, I'm more enlightened! :D
Is it safe to put all of them inside
/public/images?
@chron No. Files uploaded by users should never be directly accessible. If a user uploads a malicious file that allows them to run code, and you just store it in the public directory, then they now have the ability to run code on your server. This is obviously a security vulnerability.
You should store uploaded images outside of any publicly-accessible directories and then process them on the server (i.e. create an appropriately-sized thumbnail). As if a user uploads a 4 MB image, but you only need to show it in an element that’s say, 400 pixels wide, then that’s just wasteful trying to download a large image that isn’t going to be shown anywhere near its full size.
Please or to participate in this conversation.