Page 1 of 1

File nad Folder Security Help

Posted: Fri Apr 09, 2010 1:58 am
by aasimafridi
Hi,

I am looking forward to make a PHP based application for managing the documents. Documents can images, doc, txt etc.

I want only the users created in the application shall have the right to access the documents and nobody shall be able to view or download the document by directly typing the URL of the document.

eg. if I have uploded a file named abc.jpg and the final path is http://www.abc.com/upload/abc.jpg then nobody should be able to type the URL and view the document directly. he should be able to view/ add/ update document only if he has logged into the application.

Kindly suggest me if someone knows the solution to it.

Thanks

Aasim

Re: File nad Folder Security Help

Posted: Fri Apr 09, 2010 3:53 am
by timWebUK
When a file is uploaded, store it above the document root so that it cannot be accessed via WWW. Generate a random name for it, remove the extension and store the file type. Then write a script that will stream the data to the browser, so people will require an URL such as:

www.example.org/photos/img.php?id=234325, and before the photo is streamed you check their authentication to see if they are authorized to view the image.

hth

Re: File nad Folder Security

Posted: Fri Apr 09, 2010 10:19 am
by Technocrat
Probably the best way would be to obfuscate the url using a fetch system.

So to access the file http://www.abc.com/upload/abc.jpg they would have to use http://www.abc.com/file.php?id=123 that way file.php can check to make sure they are logged in an have the correct rights. You can use .htaccess to block direct access.

Re: File nad Folder Security Help

Posted: Fri Apr 09, 2010 10:32 am
by pickle
Thread was duplicated, so I merged the two.

Re: File nad Folder Security Help

Posted: Thu Apr 15, 2010 3:26 am
by kaisellgren
Follow these tips: viewtopic.php?p=601396#p601396

Then when accessing the document (http://site.com/view.php?id=1234), check for the permissions.