Page 1 of 1

Deny HTTP access of a folder on server

Posted: Tue Feb 01, 2011 4:47 pm
by thedark_master
First off I want to start off saying that I don't know anything about PHP so I would appreciate all the help I can get.
So I have a website hosted on godaddy where I upload files for my clients. With the help of a friend I made a simple login system with usernames and passwords. So problem is that although the websites can't be accessed without inputting the username and password, the files suchs as .jpg can be accessed by direct input in the browser. I want it to be so that the only way the files and webpages are accessed is if they have a username and password. Also I want each user to be able to access only their own files and not the others. So here is my code and if there are any additional changes that need to be made to avoid hacking I will greatly appreciate the input.

index.php file code for the form that is being used to input username and password:

Code: Select all

<form name="form1" method="post" action="checklogin.php">
            <div class="lefts">
            <p>Login:</p>
            <p>Password:</p>
            </div>

            <div>
            <input name="myusername" type="text" id="myusername" />
            <input name="mypassword" type="password" id="mypassword" />
            </div>
    
        <div><input type="image" name="Submit" id="submit" value="Login" src="images/submitOff.png" /></div>
</form>
checklogin.php: (if correct username and password is entered, it goes to the username webpage. if not it goes to the wrong username or password webpage

Code: Select all

<?php
ob_start();
session_start();
$host="hostname"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="dbnamey"; // Database name
$tbl_name="tablename"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT username FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

//returns false if no results returned
$row = mysql_fetch_row($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($row){
// Register $myusername, $mypassword and redirect to file
$_SESSION["myusername"] = $myusername;
$_SESSION["mypassword"] = $mypassword;
$myPage = $myusername.".php";
$_SESSION["myPage"] = $myPage;

header("location:".$myPage);
}
else {
header("location:index2.php");
}

ob_end_flush();
?>

username1.php: (webapge for first user that contains files)

Code: Select all

<?
session_start();
if(
//!session_is_registered(myusername)
	!isset($_SESSION["myusername"]) ||
	$_SESSION["myPage"] != basename($_SERVER['REQUEST_URI'])
){
header("location:index.php");
}
?>

<html>
//content that consist of links to the files
<a href="ready/username1/file.png">Png 1</a>
</html>

username2.php: (webapge for first user that contains files)

Code: Select all

<?
session_start();
if(
//!session_is_registered(myusername)
	!isset($_SESSION["myusername"]) ||
	$_SESSION["myPage"] != basename($_SERVER['REQUEST_URI'])
){
header("location:index.php");
}
?>

<html>
//content that consist of links to the files
<a href="ready/username2/file.png">Png 1</a>
</html>

Re: Deny HTTP access of a folder on server

Posted: Tue Feb 01, 2011 4:52 pm
by social_experiment
thedark_master wrote:I want it to be so that the only way the files and webpages are accessed is if they have a username and password.
There are two ways, one you'll like, the other one probably less so. Password protecting directories (more info here http://www.google.co.za/search?hl=af&so ... irectories) and placing your files (jpg's) outside the root folder.

Re: Deny HTTP access of a folder on server

Posted: Tue Feb 01, 2011 5:04 pm
by thedark_master
social_experiment wrote:Password protecting directories (more info here http://www.google.co.za/search?hl=af&so ... irectories)
Well your first solution will defeat the purpose of the php login because the users will have to enter their username and password twice: once to log in, and a second time to download a file. I don't want to do that.

social_experiment wrote:placing your files (jpg's) outside the root folder.
Is that the only option I have? I searched on google and some people were suggesting to disallow HTTP access to the folder, but I am not really sure how to do that.

Re: Deny HTTP access of a folder on server

Posted: Tue Feb 01, 2011 7:30 pm
by thedark_master
Ok so from doing more searching I know how to restric the access to the files using .htaccess. Now what I need to find out is a PHP download link code.

Code: Select all

<Directory name>
    Order allow,deny
    Deny from all
</Directory>

Re: Deny HTTP access of a folder on server

Posted: Tue Feb 01, 2011 8:06 pm
by thedark_master
I just found a really good PHP download script that does what I wanted to here http://www.tutorialchip.com/php-download-file-script/

So the problem is solved, however if there are any other security problems with my originals script, please let me know.

Re: Deny HTTP access of a folder on server

Posted: Thu Feb 03, 2011 7:14 am
by Mordred
thedark_master wrote:So the problem is solved, however if there are any other security problems with my originals script, please let me know.
If an attacker can learn the names of clients in some way (plenty of those: guessing, bruteforce) he can still view their "private" content even if he's not logged in:

Code: Select all

<?
session_start();
if(
//!session_is_registered(myusername)
        !isset($_SESSION["myusername"]) ||
        $_SESSION["myPage"] != basename($_SERVER['REQUEST_URI'])
){
header("location:index.php");
}
?>

<html>
//content that consist of links to the files
<a href="ready/username2/file.png">Png 1</a>
</html>

the header() call is no different than echo/print, it is presented to the browser and the browser decides what to do with it. Your problem is that the browser can be set not to follow redirects, and since you print the "secret" content after the header() call, it's there for everyone who can find the "username" page.

The best way to approach this is to have a Redirect($url) function that does the header(location) call and then exit() - in that way you'll never forget to exit() "manually" after a redirect.