Page 1 of 1

secure folder access defined by User_ID

Posted: Wed Sep 28, 2011 6:13 am
by thechinmaster
I would like to create user specific folders on my server to stash images and pdfs specific to the user. I have created a secure login area, is there a way that i can give permission to extract files from those folders based on the user_id tags that have already been created during the login process? The method would need to be as secure as possible... I have read that uploading files into mysql is very bandwidth intensive and the images would need to be reasonably high resolution.

Please can someone give me some step by step advice?

Thanks

Re: secure folder access defined by User_ID

Posted: Wed Sep 28, 2011 6:39 am
by Celauran
You could use the __DIR__ constant to return the current directory path, compare it against the ID of the user currently logged in, and redirect if they don't match.

Re: secure folder access defined by User_ID

Posted: Wed Sep 28, 2011 6:23 pm
by thechinmaster
Thanks for the reply, what would be the best way to code this? I gather i could protect the page based on user/group authentication cookie that is already set during the login process, but have never used the _DIR_ constant before, and am pretty new to PHP. I've done some googling but cant find anything specific enough. Thanks again (pleaes point me to a link if i have missed a blindingly obvious tutorial!!)

Re: secure folder access defined by User_ID

Posted: Wed Sep 28, 2011 6:35 pm
by Celauran
There are surely better ways of doing this, but it should suffice to give you an idea of what I meant.

Code: Select all

<?php

$dir = __DIR__;

// Strip off parent directories
while (stripos($dir, DIRECTORY_SEPARATOR) !== FALSE)
{
    $dir = substr($dir, stripos($dir, DIRECTORY_SEPARATOR) + 1);
}

if ($dir !== $user->id)
{
    header("Location: foo");
}

?>

Re: secure folder access defined by User_ID

Posted: Wed Sep 28, 2011 9:23 pm
by thechinmaster
excellent, thanks very much. This forum rocks - have tried a few others but generally users are to arrogant to help a newbie, cheers!

Re: secure folder access defined by User_ID

Posted: Wed Sep 28, 2011 11:37 pm
by flying_circus
Celauran wrote:There are surely better ways of doing this, but it should suffice to give you an idea of what I meant.
I hate it too, but I'm killing time. :)

Code: Select all

<?php
  if (array_shift(explode(DIRECTORY_SEPARATOR, __DIR__)) !== $user->id) {
    header("Location: foo");
    exit;
  }
?>

Re: secure folder access defined by User_ID

Posted: Fri Sep 30, 2011 8:26 am
by thechinmaster
ok, thanks for this. have been trying to get it to work but may need some clearer instructions please?

I would like to use a link within a drop down menu to access a file that is saved on the server. i have User_ID set as the first column of my users table within mysql, and for example:

user 0001 has a folder named 0001 saved within server. Contained in that file is abc.pdf.

How would I script a link to download that file, so that only user 0001 can access the file?

Thanks in advance

Re: secure folder access defined by User_ID

Posted: Fri Sep 30, 2011 8:36 am
by Celauran
You can use is_dir() to check if the directory exists. How do you want to handle directories with multiple files?

Re: secure folder access defined by User_ID

Posted: Sat Oct 01, 2011 8:57 pm
by thechinmaster
As I said I am very new to PHP and am finding this whole issue to be a bit confusing. User directories will contain mixtures of pdf, jpeg and png files.

For security, can I create user folders named by User_ID (ie. users/user0001/) above the public_html folder, and is there an easy way to call that information using PHP?

So, if I want to allow user0001 to download the file "/users/user0001/123.pdf" how can I script this, bearing in mind that I want to use the same script for multiple User_ID's?

Hopefully this makes sense! If possible please please give me the absolute 'idiot proof guide'

Re: secure folder access defined by User_ID

Posted: Sun Oct 02, 2011 7:33 pm
by flying_circus
To field your original question about storing files in the database, don't. Store the file on the disk and the path to the file in the database.

I would create at least 3 tables in my database: Users, Files, and User's Files

It sounds like you already have the user table handled, this is the one you use to store your user credentials for login.

Next, in the files table, you'll want to store a unique id/index, file name, extension, optionally file path, and any other type of information such as mime type, size, creation date, etc. Store the file on the hard disk, rename the file to the unique_id (above) and strip the extension.

Then your User's Files table will have 2 fields, user_id and file_id, and you can create many-to-many relationships.

When a user wants to get a file, you will use PHP to serve the file:

Code: Select all

<?php
# Serve File
                    header("Content-Description: File Transfer");
                    header("Content-Type: {$file['file_type']}");
                    header("Content-Length: {$file['file_size']}");

                  // to open in browser - Serves in Browser
                    //header("Content-Disposition: inline; filename={$file['file_name']}");
                    
                  // to download
                    header("Content-Disposition: attachment; filename={$file['file_name']}");
                    readfile(UPLOADS . "/{$file['file_uuid']}"); /* or use include($file); */
?>
This isnt a complete solution but hopefully it gets you started.

Re: secure folder access defined by User_ID

Posted: Tue Oct 04, 2011 5:04 am
by thechinmaster
thanks very much... exactly the info that I was looking for. Just one more thing, if I have my files stored on disk how can they be stored outside of the public_html folder to prevent direct linking to the file? My server allows me to create folders outside of the public_html folder, but how would I call the file using your method above? (or to put it a diffferent way, do I need to specify 'public_html/secureuser/blah/blah' if i use the method you have suggested?

cheers

Re: secure folder access defined by User_ID

Posted: Tue Oct 04, 2011 12:10 pm
by flying_circus
thechinmaster wrote:thanks very much... exactly the info that I was looking for. Just one more thing, if I have my files stored on disk how can they be stored outside of the public_html folder to prevent direct linking to the file? My server allows me to create folders outside of the public_html folder, but how would I call the file using your method above? (or to put it a diffferent way, do I need to specify 'public_html/secureuser/blah/blah' if i use the method you have suggested?

cheers
If you create index.php in the root of your public_html folder, you can find the path to the current working file by doing something like:

Code: Select all

<?php
  print dirname(__FILE__);
?>
I usually just define some constants in my script

Code: Select all

<?php
  define('DS', DIRECTORY_SEPARATOR);
  define('WEB_ROOT'), dirname(__FILE__) . DS; // path/to/public_html/
  define('PRIVATE', dirname(WEB_ROOT) . DS); // path/to/public_html/../
  define('UPLOADS', PRIVATE . "uploads" . DS); // path/to/public_html/../uploads

  # Path to private file on disk:
    /*  ... code ...*/
    readfile(UPLOADS . "{$file['file_uuid']}");
    /*  ... code ...*/

  
?>

Re: secure folder access defined by User_ID

Posted: Tue Oct 11, 2011 2:56 am
by thechinmaster
excellent - thanks again. problem sorted!