Page 1 of 1

Setting file permissions for SECURE download

Posted: Sat Sep 12, 2009 10:08 pm
by gcreddy
Hello....I am a novice and have been developing a secure file transfer system in php....I want to enable ONLY my clients to be able to download their files......for example....in my code....if I write the following line

<a href="/images/image1.jpg">Download here</a>

My client should be able to download that file.....however.....if someone types "http://www.domainname.com/Folder1/images/image1.jpg" and pastes it into their browser....the access should be denied....

Infact....if some one types "http://www.domainname.com/Folder1/" the contents of the folder also shouldn't be displayed....

Can someone tell me how I should change the permissions (right now all the permissions are set to 0755 i.e. rwxr-xr-x) on my server and the changes (if any) that should be done to my code to enable this feature??

Regards,
G.C.Reddy

Re: Setting file permissions for SECURE download

Posted: Sun Sep 13, 2009 2:25 am
by kaisellgren
The file system permission applies to the file system only. What you want is to move those files to a non-web accessible folder. Then you would write a PHP script to fetch the files if the user is authorized to access the files.

Re: Setting file permissions for SECURE download

Posted: Mon Sep 14, 2009 5:59 am
by gcreddy
Yeah....but what are the settings of the non-accessible web folder?

Re: Setting file permissions for SECURE download

Posted: Mon Sep 14, 2009 9:36 am
by Eric!
He means to move it outside of the directories being served by the HTML server.

for example say your directory structure looks something like this:

.../user/public_html/all_your_web_page_crap_is_in_here
.../user/file
.../user/email
.../user/tmp

You would want to put the files in a directory under /user, but not inside public_html. That way there is no way for someone outside of your server to access that directory through http. Then you write a php file that authenticates the user, and serves the file from your /user/download directory or whatever you call it.

You don't need to worry about file permisions, that is only for file system access on the server, nothing else.

Re: Setting file permissions for SECURE download

Posted: Mon Sep 14, 2009 11:38 am
by gcreddy
Hi Eric!

Thanks for that input. I have done as you said. I have changed the path to /dropbox/domainname/Users/... in the PHP script (instead of using the path to the public html folder). I still have one problem however and that is I am unable to download the files listed under the directories. In the PHP script, I gave the link as follows:

My PHP script is in the webdocs folder (which....in this case is the public html folder if I am not wrong)

$dir = '../dropbox/sallyjohns/';
echo '<a href="'.$dir.'/'.$filename.'">Click Here</a>';

When I click on that link, I am getting file not found (which obviously is right....because the hyperlink is being read as http://www.domainname.com/dropbox/sallyjohns/filename and the dropbox doesn't exist in the public html folder).

Except this problem, everything else it working fine. I am able to create directories, upload files and traverse through the folders. I just need people to be able to download when they click on their files. Is there any where I can redirect them to or am I doing something wrong?

Regards,
G.C.Reddy

Re: Setting file permissions for SECURE download

Posted: Mon Sep 14, 2009 1:21 pm
by kaisellgren