Page 1 of 1

Directly viewing unauthorised files by url

Posted: Wed May 31, 2006 1:20 pm
by phase
Hello everyone.

I have a problem with my current project and i really hope someone could shed some light on how to rectify.

Currently i have a section for clients who can login and download files in a specific folder.

for example there will be 50 folders client_1 to client_50.

if their session userid once logged in is 1 then they have access to client_1 files and no other, this is all working fine from the interface side of things, however if client 1 wanted to view client 6's files, they can still do so by bypassing the website and entering a file url in directly...

i have secured the folder itself by .htacess so they cannot type in...
http://www.mysite.com/files/client_6/
that would redirect them back to an appropriate page.

but a direct url such as
http://www.mysite.com/files/client_6/image.jpg
would display the image.

What measures can i take to ensure this is no longer possible?

I would really appreciate some advice. Thanks all.

Phase

Posted: Wed May 31, 2006 4:19 pm
by Christopher
Please show us your .htaccess file.

Posted: Thu Jun 01, 2006 3:38 am
by s.dot
load the image inside your php script

psuedo code:

Code: Select all

if(session is valid && user is valid)
{
    readfile('image.jpg');
}
This way, you can store your images outside of the webroot so people can't access them through the direct url. Then you'd have a way of showing it to valid users by using the url image_validating_script.php?image=image.jpg

Posted: Thu Jun 01, 2006 9:29 am
by ok
Moreover, you can store your files in your DB.
For example:
You create table which called "files" and 2 cols "file_name" and "file".
Then, you write a php script which gets the file_name, checks that the user is authorized, and then reads the content of "file" col from the table in you DB.

Posted: Thu Jun 01, 2006 10:15 am
by Maugrim_The_Reaper
DB seems overkill for serving files... Using PHP to redirect a file to a user makes far more sense.