encrypting an uploaded file - decrypting a downloaded file
Posted: Mon Jun 16, 2003 11:48 am
I have an web application that allows people to upload files to a central server and then for other people to download those files. The transfers happen over secure connections, but I'm trying to make it so that the while the files are stored on the server, usually only a temporary thing, they are more secure as well.
I'll explain what I do, then I'll give the code.
First off I just have a simple form that has a select for whom you want to be able to access the file (who are you uploading for) and a file input where you tell the system what file you want to upload. Once you submit the form I store some info about the file in a mysql database (size, type, name, owner, date uploaded), and then I do some work on the actual file. First I read it's contents into a string variable. Then I do a base64_encode on that string (I've tried it with and without this step). Then I encrypt my string. Then I create a new file on the server and write my string out to it. All of this seems to work fine. The file is created and is of the correct size. I've commented out the encrption part and if I grab the file off of the server through FTP I can open it up just fine.
The download step is basically just the reverse of the upload. I grab the file off of the server and read its contents to a string. I decrypt it and then decode it. then set some headers and echo its contents to the screen do that it will download (or display, depending on its type). The error here occurs when I try to read the file to a string. I've tried it in small chunks and all at once, but I always get the same parse error about an unexpected T_STRING.
I'm really stuck on this one and can't seeem to find any info on this sort of thing anywhere. Here's the pertinent code snippets that deal with the upload and encryption, then decrytpion and download.
upload:
download:
Any help with this would be appreciated, or even a suggestion of a better way to do this. I've thought of storing the file in my database as a blob, but my database storage is much more limited than my regular file storage.
Thanks in advance for the help.
I'll explain what I do, then I'll give the code.
First off I just have a simple form that has a select for whom you want to be able to access the file (who are you uploading for) and a file input where you tell the system what file you want to upload. Once you submit the form I store some info about the file in a mysql database (size, type, name, owner, date uploaded), and then I do some work on the actual file. First I read it's contents into a string variable. Then I do a base64_encode on that string (I've tried it with and without this step). Then I encrypt my string. Then I create a new file on the server and write my string out to it. All of this seems to work fine. The file is created and is of the correct size. I've commented out the encrption part and if I grab the file off of the server through FTP I can open it up just fine.
The download step is basically just the reverse of the upload. I grab the file off of the server and read its contents to a string. I decrypt it and then decode it. then set some headers and echo its contents to the screen do that it will download (or display, depending on its type). The error here occurs when I try to read the file to a string. I've tried it in small chunks and all at once, but I always get the same parse error about an unexpected T_STRING.
I'm really stuck on this one and can't seeem to find any info on this sort of thing anywhere. Here's the pertinent code snippets that deal with the upload and encryption, then decrytpion and download.
upload:
Code: Select all
<?
$filetype = $file_type;
//read uploaded file contents to a string and then encode it
$file_data = fread(fopen($file, "r"), filesize($file));
$file_data = base64_encode($file_data);
//encryption key
$key = "SomeKey";
//encrypt the string of data
$td = mcrypt_module_open ('tripledes', '', 'ecb', '');
$iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
mcrypt_generic_init ($td, $key, $iv);
$enc_data = mcrypt_generic ($td, $file_data);
mcrypt_generic_deinit ($td);
mcrypt_module_close ($td);
//set path where we want to store the file and the name that we will be calling it
$filepath = "/home/www/mydomain/files/" . $select_user_id . "/" . $file_name . ".dat";
//create a new file and write our encrypted data to it
$enc_file = fopen($filepath, "wb");
fwrite($enc_file, $enc_data);
fclose($enc_file);
?>Code: Select all
<?
//location of file on the server
$filepath = "/home/www/mydomain/files/" . $user_id . "/" . $file_name . ".dat";
$key = "SomeKey";
//open the file for reading
$enc_file = fopen($filepath, "rb");
//check to see that the file was opened if no, write out some info for debuging
if (!is_resource($enc_file))
{
echo "error opening file";
echo "<br /> $user_id";
echo "<br /> $file_name";
}
else
{
//write out file header information so that it downloads properly
header("Content-type: $file_type");
header("Content-length: $file_size");
header("Content-Disposition: attachment; filename=$file_name");
header("Content-Description: PHP Generated Data");
$enc_data = "";
//read the entire file into a string variable then close the file
//this is where the error happens whether I read the whole file, or step through it chunk by chunk
$enc_data = fread($enc_file, filesize($file_path));
fclose($enc_file);
//decrypt the data
$td = mcrypt_module_open ('tripledes', '', 'ecb', '');
$iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
mcrypt_generic_init ($td, $key, $iv);
$unenc_data = mdecrypt_generic ($td, $enc_data);
mcrypt_generic_deinit ($td);
mcrypt_module_close ($td);
//decode the data
$unenc_data = base64_decode($unenc_data);
//write out the data for download
echo $unenc_data;
}
?>Any help with this would be appreciated, or even a suggestion of a better way to do this. I've thought of storing the file in my database as a blob, but my database storage is much more limited than my regular file storage.
Thanks in advance for the help.