Securing Documents

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
TheOracle
Forum Commoner
Posts: 64
Joined: Mon Nov 22, 2004 4:56 am
Location: Bedford, UK

Securing Documents

Post by TheOracle »

Hi All,

I have a spec for a website which will behandling the upload and retrieval of PDF files from a website, only vailable to members (or customers) who have paid for the right to view them.

However, what is to stop:

1. The documents being indexed by a search engine (is there a way to do this dynamically in the robots.txt file?
2. People accessing them directly via the URL?

This is very important that I can provide an answer.

I hope you can help.

Many thanks
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Don't put them in the webroot.

Lets say you have a hosting account at /whatever. Your website is at /whatever/public_html. Simply make a subdirectory of whatever that is *not* a subdirectory of public_html. For example: /whatever/secure.

Then secure that directory - only give apache access to it, and add an htaccess rule that will deny all. (becuase your php script will be accessing it via the filesystem, NOT via http calls).

Then use php to save documents to that area, and to load and send them (use header, output buffering, and a little file magic).

That way, people can't access them directly (there is no weblink to them), and search engines can't either.
TheOracle
Forum Commoner
Posts: 64
Joined: Mon Nov 22, 2004 4:56 am
Location: Bedford, UK

Post by TheOracle »

Thanks Roja,

Would the same apply for IIS as for Apache?

I create a directory one above the root and give only the web user access. Then using PHP I can use move_uploaded_file() to move the file to that directory, and then just retrieve it from the root directory using:

../secure/filename.pdf
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

TheOracle wrote:Would the same apply for IIS as for Apache?
Everything except for the .htaccess file. Thankfully, thats just a backup security measure, so yes - same deal.
Post Reply