File nad Folder Security Help

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
aasimafridi
Forum Newbie
Posts: 1
Joined: Fri Apr 09, 2010 1:54 am

File nad Folder Security Help

Post by aasimafridi »

Hi,

I am looking forward to make a PHP based application for managing the documents. Documents can images, doc, txt etc.

I want only the users created in the application shall have the right to access the documents and nobody shall be able to view or download the document by directly typing the URL of the document.

eg. if I have uploded a file named abc.jpg and the final path is http://www.abc.com/upload/abc.jpg then nobody should be able to type the URL and view the document directly. he should be able to view/ add/ update document only if he has logged into the application.

Kindly suggest me if someone knows the solution to it.

Thanks

Aasim
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: File nad Folder Security Help

Post by timWebUK »

When a file is uploaded, store it above the document root so that it cannot be accessed via WWW. Generate a random name for it, remove the extension and store the file type. Then write a script that will stream the data to the browser, so people will require an URL such as:

www.example.org/photos/img.php?id=234325, and before the photo is streamed you check their authentication to see if they are authorized to view the image.

hth
User avatar
Technocrat
Forum Contributor
Posts: 127
Joined: Thu Oct 20, 2005 7:01 pm

Re: File nad Folder Security

Post by Technocrat »

Probably the best way would be to obfuscate the url using a fetch system.

So to access the file http://www.abc.com/upload/abc.jpg they would have to use http://www.abc.com/file.php?id=123 that way file.php can check to make sure they are logged in an have the correct rights. You can use .htaccess to block direct access.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: File nad Folder Security Help

Post by pickle »

Thread was duplicated, so I merged the two.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: File nad Folder Security Help

Post by kaisellgren »

Follow these tips: viewtopic.php?p=601396#p601396

Then when accessing the document (http://site.com/view.php?id=1234), check for the permissions.
Post Reply