secure folder access defined by User_ID

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
thechinmaster
Forum Newbie
Posts: 14
Joined: Thu Sep 15, 2011 7:21 pm

secure folder access defined by User_ID

Post by thechinmaster »

I would like to create user specific folders on my server to stash images and pdfs specific to the user. I have created a secure login area, is there a way that i can give permission to extract files from those folders based on the user_id tags that have already been created during the login process? The method would need to be as secure as possible... I have read that uploading files into mysql is very bandwidth intensive and the images would need to be reasonably high resolution.

Please can someone give me some step by step advice?

Thanks
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: secure folder access defined by User_ID

Post by Celauran »

You could use the __DIR__ constant to return the current directory path, compare it against the ID of the user currently logged in, and redirect if they don't match.
thechinmaster
Forum Newbie
Posts: 14
Joined: Thu Sep 15, 2011 7:21 pm

Re: secure folder access defined by User_ID

Post by thechinmaster »

Thanks for the reply, what would be the best way to code this? I gather i could protect the page based on user/group authentication cookie that is already set during the login process, but have never used the _DIR_ constant before, and am pretty new to PHP. I've done some googling but cant find anything specific enough. Thanks again (pleaes point me to a link if i have missed a blindingly obvious tutorial!!)
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: secure folder access defined by User_ID

Post by Celauran »

There are surely better ways of doing this, but it should suffice to give you an idea of what I meant.

Code: Select all

<?php

$dir = __DIR__;

// Strip off parent directories
while (stripos($dir, DIRECTORY_SEPARATOR) !== FALSE)
{
    $dir = substr($dir, stripos($dir, DIRECTORY_SEPARATOR) + 1);
}

if ($dir !== $user->id)
{
    header("Location: foo");
}

?>
thechinmaster
Forum Newbie
Posts: 14
Joined: Thu Sep 15, 2011 7:21 pm

Re: secure folder access defined by User_ID

Post by thechinmaster »

excellent, thanks very much. This forum rocks - have tried a few others but generally users are to arrogant to help a newbie, cheers!
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: secure folder access defined by User_ID

Post by flying_circus »

Celauran wrote:There are surely better ways of doing this, but it should suffice to give you an idea of what I meant.
I hate it too, but I'm killing time. :)

Code: Select all

<?php
  if (array_shift(explode(DIRECTORY_SEPARATOR, __DIR__)) !== $user->id) {
    header("Location: foo");
    exit;
  }
?>
thechinmaster
Forum Newbie
Posts: 14
Joined: Thu Sep 15, 2011 7:21 pm

Re: secure folder access defined by User_ID

Post by thechinmaster »

ok, thanks for this. have been trying to get it to work but may need some clearer instructions please?

I would like to use a link within a drop down menu to access a file that is saved on the server. i have User_ID set as the first column of my users table within mysql, and for example:

user 0001 has a folder named 0001 saved within server. Contained in that file is abc.pdf.

How would I script a link to download that file, so that only user 0001 can access the file?

Thanks in advance
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: secure folder access defined by User_ID

Post by Celauran »

You can use is_dir() to check if the directory exists. How do you want to handle directories with multiple files?
thechinmaster
Forum Newbie
Posts: 14
Joined: Thu Sep 15, 2011 7:21 pm

Re: secure folder access defined by User_ID

Post by thechinmaster »

As I said I am very new to PHP and am finding this whole issue to be a bit confusing. User directories will contain mixtures of pdf, jpeg and png files.

For security, can I create user folders named by User_ID (ie. users/user0001/) above the public_html folder, and is there an easy way to call that information using PHP?

So, if I want to allow user0001 to download the file "/users/user0001/123.pdf" how can I script this, bearing in mind that I want to use the same script for multiple User_ID's?

Hopefully this makes sense! If possible please please give me the absolute 'idiot proof guide'
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: secure folder access defined by User_ID

Post by flying_circus »

To field your original question about storing files in the database, don't. Store the file on the disk and the path to the file in the database.

I would create at least 3 tables in my database: Users, Files, and User's Files

It sounds like you already have the user table handled, this is the one you use to store your user credentials for login.

Next, in the files table, you'll want to store a unique id/index, file name, extension, optionally file path, and any other type of information such as mime type, size, creation date, etc. Store the file on the hard disk, rename the file to the unique_id (above) and strip the extension.

Then your User's Files table will have 2 fields, user_id and file_id, and you can create many-to-many relationships.

When a user wants to get a file, you will use PHP to serve the file:

Code: Select all

<?php
# Serve File
                    header("Content-Description: File Transfer");
                    header("Content-Type: {$file['file_type']}");
                    header("Content-Length: {$file['file_size']}");

                  // to open in browser - Serves in Browser
                    //header("Content-Disposition: inline; filename={$file['file_name']}");
                    
                  // to download
                    header("Content-Disposition: attachment; filename={$file['file_name']}");
                    readfile(UPLOADS . "/{$file['file_uuid']}"); /* or use include($file); */
?>
This isnt a complete solution but hopefully it gets you started.
thechinmaster
Forum Newbie
Posts: 14
Joined: Thu Sep 15, 2011 7:21 pm

Re: secure folder access defined by User_ID

Post by thechinmaster »

thanks very much... exactly the info that I was looking for. Just one more thing, if I have my files stored on disk how can they be stored outside of the public_html folder to prevent direct linking to the file? My server allows me to create folders outside of the public_html folder, but how would I call the file using your method above? (or to put it a diffferent way, do I need to specify 'public_html/secureuser/blah/blah' if i use the method you have suggested?

cheers
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: secure folder access defined by User_ID

Post by flying_circus »

thechinmaster wrote:thanks very much... exactly the info that I was looking for. Just one more thing, if I have my files stored on disk how can they be stored outside of the public_html folder to prevent direct linking to the file? My server allows me to create folders outside of the public_html folder, but how would I call the file using your method above? (or to put it a diffferent way, do I need to specify 'public_html/secureuser/blah/blah' if i use the method you have suggested?

cheers
If you create index.php in the root of your public_html folder, you can find the path to the current working file by doing something like:

Code: Select all

<?php
  print dirname(__FILE__);
?>
I usually just define some constants in my script

Code: Select all

<?php
  define('DS', DIRECTORY_SEPARATOR);
  define('WEB_ROOT'), dirname(__FILE__) . DS; // path/to/public_html/
  define('PRIVATE', dirname(WEB_ROOT) . DS); // path/to/public_html/../
  define('UPLOADS', PRIVATE . "uploads" . DS); // path/to/public_html/../uploads

  # Path to private file on disk:
    /*  ... code ...*/
    readfile(UPLOADS . "{$file['file_uuid']}");
    /*  ... code ...*/

  
?>
thechinmaster
Forum Newbie
Posts: 14
Joined: Thu Sep 15, 2011 7:21 pm

Re: secure folder access defined by User_ID

Post by thechinmaster »

excellent - thanks again. problem sorted!
Post Reply