A security-focused PHP image gallery and image board application built with PHP 8.1+, MySQL, moderation tooling, duplicate image detection, age-restricted content controls, administrative security tools, and a background maintenance server.
This project is designed for practical real-world deployment, with a strong emphasis on security, maintainability, and operational control.
PHP Image Gallery provides a complete image-sharing platform with:
- User registration and authentication
- Public gallery browsing and pagination
- Image uploads with duplicate detection
- Favorites and up-voting
- Comment support
- Profile and avatar management
- Moderation workflows
- Administrative controls
- Request protection and security logging
- A CLI maintenance server for real-time housekeeping and maintenance state management
The project follows a defense-in-depth approach, combining application security, controlled uploads, rate limiting, administrative review tools, and a dedicated background process.
- User registration and login
- Secure password hashing and verification
- Change account e-mail
- Change account password
- User avatar uploads
- Profile management
- Birthday / age verification workflow for restricted content
- Favorites and voting support
- Image commenting
- Public image gallery
- Pagination
- Individual image pages
- Image metadata and interaction support
- Cached image delivery for improved responsiveness
Uploads are checked with multiple hashing methods to help detect exact duplicates and near-duplicates:
- aHash
- dHash
- pHash
This helps reduce spam, repeated uploads, and low-value duplicate content while still allowing moderator review before final action.
- Moderation dashboard
- Pending image review queue
- Duplicate comparison workflow
- Approve / reject workflows
- Sensitive-content review support
- Rehash tooling for image maintenance
- Admin dashboard
- User management
- Site settings management
- Security log review
- Block list review and management
- Runtime maintenance controls
A dedicated CLI maintenance server is included to handle recurring housekeeping and runtime state:
- Expired session cleanup
- Request-guard counter cleanup
- Temporary block cleanup
- Old security log cleanup
- Expired image cache cleanup
- Heartbeat management for site availability
- Runtime maintenance mode control
- Interactive and command-line control through
serverctl.php
Security is a major focus of this project.
- Strong password hashing with Argon2id
- Hardened session handling
- Session timeout support
- Secure cookie settings
- Session regeneration for sensitive flows
- Device-aware session and request tracking support
- CSRF protection for state-changing actions
- Output escaping and input sanitization helpers
- Request validation across controllers
- Rate limiting and abuse controls
Uploads are validated with layered checks, including:
- File size validation
- Extension allowlists
- Server-side MIME detection
- Image validation
- Dangerous file rejection
- Hash generation for duplicate detection
- Controlled file storage paths
The request guard system helps reduce abuse through:
- Rate limiting
- Temporary deny / block behavior
- IP-aware enforcement
- Device fingerprint support
- Security event logging
- Administrative review tools
The project is structured to support stronger browser-side protections such as:
- Content Security Policy
- Clickjacking protection
- MIME sniffing protection
- Referrer policy controls
- Permissions policy controls
- Birthday-based age verification
- Restricted content handling
- Safer content delivery rules
- Moderator review for sensitive uploads
Minimum environment:
- PHP 8.1+
- MySQL / MariaDB
- PDO MySQL
- Fileinfo
- GD
- Imagick
Recommended:
- Linux-based hosting
- HTTPS-enabled web server
- Dedicated database user for the application
- Process supervision for the maintenance server
/config Configuration files
/controllers Application controllers
/core Core classes and security/runtime systems
/helpers Helper classes
/templates HTML templates
/assets CSS and JavaScript assets
/images/original Stored uploaded originals
/cache/images Generated image cache
/cache/templates Compiled template cache
/install Installer / updater
/server.php Background maintenance server
/serverctl.php Maintenance server control client
/index.php Main web entry point
Place the project in your web root or application directory.
Example:
unzip PHP-Image-Gallery.zip
mv PHP-Image-Gallery /var/www/html/php-image-galleryConfigure your web server so the application is served from the project directory and index.php is the public entry point.
Visit:
/install/index.php
The installer / updater is used to:
- Write
config/config.phpfromconfig/config.php.dist - Install the base database schema from
install/base_database.sql - Apply update SQL files when present
- Merge new config keys from future versions
Before continuing, make sure the installer checks pass:
- PHP 8.1+
- PDO MySQL
- Fileinfo
- GD
- Imagick
In the installer, complete the configuration and save it to:
/config/config.php
Important values to review:
- Database host
- Database name
- Database user
- Database password
- Timezone
- Site name
- Maintenance server settings
- Request guard settings
- Security settings
Make sure the following paths are writable by both your web server user and the CLI user that will run server.php:
/cache/images
/cache/templates
/images/original
Use the installer to install the base schema from:
/install/base_database.sql
It will also apply files in /updates when needed.
After installation is complete, remove or restrict installer access:
- Remove or block
/install - Remove or restrict installer-only access if you do not need updater access exposed
This is strongly recommended for production deployments.
Once installation is complete:
- Make sure
config/config.phpexists - Make sure the database is reachable
- Make sure writable directories are writable
- Make sure the maintenance server is running
Then browse to the site normally through your web server.
The project includes a background maintenance server that keeps housekeeping jobs running and refreshes the site heartbeat.
If maintenance server support is enabled in config/config.php, the public site can enter maintenance mode when the heartbeat is missing or stale.
From the project root:
php server.phpUseful options:
php server.php --interval=1
php server.php --onceThe maintenance server handles:
- Expired application session cleanup
- Request guard cleanup
- Security log cleanup
- Image cache cleanup
- Heartbeat updates
- Runtime maintenance state
- Local control socket commands
For production, run the server under a process manager such as:
- systemd
- supervisor
- tmux
- screen
This helps ensure the server automatically restarts after crashes or reboots.
Use serverctl.php to control the running maintenance server without restarting it.
php serverctl.php status
php serverctl.php pause
php serverctl.php resume
php serverctl.php run-cleanup-now
php serverctl.php maintenance-on
php serverctl.php maintenance-off
php serverctl.php set-verbose 1
php serverctl.php set-tick-interval 2
php serverctl.php set-log-retention-days 30php serverctl.php enable-job image_cache
php serverctl.php disable-job security_logs
php serverctl.php set-job sessions 1Run without a command:
php serverctl.phpThis opens an authenticated interactive shell for maintenance commands.
The maintenance control socket is intended for local use and should be reviewed carefully in config/config.php.
Important settings include:
maintenance_server.requiredmaintenance_server.heartbeat_timeout_secondsmaintenance_server.control.bind_addressmaintenance_server.control.portmaintenance_server.control.allowed_ipsmaintenance_server.control.auth_token
You should always replace the default control token with a long random secret before using the control socket.
A typical setup flow looks like this:
- Extract the project
- Open
/install/index.php - Save
config/config.php - Install the database schema
- Confirm writable cache and image folders
- Remove or restrict
/install - Start
php server.php - Verify with
php serverctl.php status - Open the site in your browser
- User uploads an image
- The system generates image hashes
- The upload is compared against existing records
- Potential duplicates are flagged
- Moderators review the match
- The image is approved, rejected, or handled as sensitive content
This combines automated detection with human review for better accuracy and fairness.
- Cleaner gallery browsing
- Better account safety
- Reduced duplicate spam
- Safer handling of restricted content
- Easier duplicate review
- Better enforcement visibility
- Cleaner approval and rejection workflows
- Better operational control
- Built-in security visibility
- Background cleanup outside page requests
- Live runtime maintenance control
Before going live, review all security-sensitive configuration values in config/config.php, especially:
- Database credentials
- Password hashing options
- Device fingerprint secret
- Maintenance control token
- Allowed maintenance control IPs
- Request guard thresholds
Also ensure:
- HTTPS is enabled
/installis restricted or removed- File permissions are correct
- The maintenance server starts automatically after reboot
This project is licensed under the GNU Affero General Public License v3.0 (AGPLv3).
See the LICENSE file for details.
- You may use, modify, and distribute this software under AGPLv3
- Contributions via pull requests are welcome
- You may not relicense it under a closed-source or proprietary license
- You may not copy parts of this project into a non-AGPL-compatible project
- Public server deployments must provide source code to users as required by AGPLv3