Security for certain files/directory

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Javrixx
Forum Commoner
Posts: 32
Joined: Thu Aug 24, 2006 2:05 pm

Security for certain files/directory

Post by Javrixx »

Hi, I'm really new to PHP. Basically I'm setting up a few things for my work. I'm adding a feature that lets clients login and view certain .xls files and what not. It will be their results that our company provides for them...

So I've almost got the login part of it done, I don't think I'll have too hard of a time getting the rest setup, but now that I'm thinking about it, I think I have a problem.

Client A needs to access his .xls files.
Client B needs to do the same thing.

All the files are stored in, let's say, /clientfiles directory.


I need to make it so only Client A can access his files and no one else's files.

Maybe I can make it a bit clearer. Client A logs in with the username and password I provide him (he can change his pass). On the next page it says welcome so and so and you have X amount of results ready for download. I was thinking I was just going to generate the link using php according to what the filename is in the mySQL database. So anyway, he clicks the link that lists all the results .xls files to download...

Let's say they're all stored at http://www.mydomain.com/clientfiles. So he has 3 files listed there:
http://www.mydomain.com/clientfiles/file1.xls
http://www.mydomain.com/clientfiles/file2.xls
http://www.mydomain.com/clientfiles/file3.xls

Now, what is to stop him, and anyone else to just going to http://www.mydomain.com/clientfiles/ and seeing all the files in that directory and being able to download them? Is there a way I can fix this so only the logged in client can access only those files? Or am I going to have to do something totally different as a solution?

Any help is much appreciated. I really don't know too much about PHP, so far I've been using tutorials and using "trial and error" changing the code here and there to suit my needs. I do know HTML like the back of my hand, so I do understand the basics and how PHP functions, I just don't know the commands, etc, for it yet. Thanks again.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

  • Store the files off the web accessible directories.
  • Use a script to fetch the actual report.
Javrixx
Forum Commoner
Posts: 32
Joined: Thu Aug 24, 2006 2:05 pm

Post by Javrixx »

Thanks for your post feyd, that's the second option I'm looking into, I just have no clue how to do it lol. But here is an update I also posted on another forum. Any help or suggestions is highly appreciated.



Ok so I'm almost to the point where I need to implement this.

I think I'm down to 2 options...

1) Use the users ID and make a random folder, stores the files in it... for example, say user123 logsin and wants to see their files. On the database, they're userid is say... 555. So I make a new folder in the userfiles folder, starting with the user ID and then some random stuff after that: 555fdjf78nab5jk6diap227yu46/file1afd87b93bfi3a.xls

So the path to download that would be http://www.mysite.com/userfiles/555fdjf ... 3bfi3a.xls

It will be easy for me to find, because the user ID is still the first part of the directory, as would be the file name that they need, but the rest is so random people would PROBABLY never find the full path for that file... Am I right about this?


2) Someone had mentioned to me that I can store the files on the server, but not public. When the user logins in, I would make a php script to create a random temporary folder and move the needed files for that user to the new temporary folder. After the user logs out the temporary folder is deleted, thus the user's files are never really public, only for a short time when that user is logged in and needs the files.

Now, my big issue with this is, I lack the knowledge to set something up like this that is so complicated. I haven't looked for any tutorials, but that it is pretty specific and don't know if I'll be able to find something. I'm about 2 weeks away from having to really set this up so ANY feedback on this is highly appreciated.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Random folders: bad idea.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

Javrixx, you wrote a log-in system, right? You know enough to write the script to fetch a clients excel sheets.

You have one table:

Clients
-----------------
client_id
username
password
blah
yada
foo

Then you have another table:

Reports
-----------------
report_id
user_id
report_name
report_path

Then you could get all of a clients reports according to the client_id that is associated with the report in the database.

After that you just write a list of links to the screen.
Javrixx
Forum Commoner
Posts: 32
Joined: Thu Aug 24, 2006 2:05 pm

Post by Javrixx »

Daedalus- wrote:Javrixx, you wrote a log-in system, right? You know enough to write the script to fetch a clients excel sheets.

You have one table:

Clients
-----------------
client_id
username
password
blah
yada
foo

Then you have another table:

Reports
-----------------
report_id
user_id
report_name
report_path

Then you could get all of a clients reports according to the client_id that is associated with the report in the database.

After that you just write a list of links to the screen.
Ok yes that was exactly what I was thinking. But I'm not clear on how to do that. I mean, where do I store the files? feyd said making random folders is a bad idea.

For example, if I stored all files in X folder, I know how to pull the link for Y client to get his X file. But just the link where the file is already stored, which isn't secure. I hope this makes sense. Also feyd, why is random folders a bad idea?
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

Store them all in the same folder. The only way people can view a list of the files in that folder is if you allow it, which should not be the default setting.

I can explain how to check on IIS, but not Apache.
Javrixx
Forum Commoner
Posts: 32
Joined: Thu Aug 24, 2006 2:05 pm

Post by Javrixx »

I think my problem is that we don't have our own server. It's on a shared web hosting plan. I can make a new folder and password protect it or change the chmod to not allow access. Is that what you mean?

Sorry for being slow, but I've never done this before and I want to approach this the best way.
Post Reply