How to eliminate direct access to binary data

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sphoenixee
Forum Newbie
Posts: 2
Joined: Sun Aug 17, 2008 4:01 pm

How to eliminate direct access to binary data

Post by sphoenixee »

Hello,

First post here :)

Apologies if this has been answered a thousand times already.

Basically, here's what I want to do:
I have some images and audio clips on my server.
I do not want people to access these directly.
I have a PHP script that displays these images/audio.
Only registered users can access the PHP script.
However, registered users still should not be able to access the files directly.

I thought of a few ways, and was hoping you guys could give thoughts on how well these ways work and suggest other methods too. I'm very new at web programming, and would be interested in hearing ideas you guys have. Thanks!

Way 1:
Use htaccess to restrict access to images in a directory. PHP has the user/pw for that and so can access the files, but other people cannot.

Way 2:
Put the files in a directory that is not accessibly via http. PHP can still access those but other people cannot accdess them directly.

The context of all this is that I am writing an RIA in Flex that will query PHP for data, both from MySQL and from images and audio. I want people to only be able to access that data from the Flex program, and not just paste in URLs and steal my images/audio.

Thanks.

sphoenixee
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How to eliminate direct access to binary data

Post by Mordred »

Way2, and don't forget to check that the user is authorized to see the content in the PHP script that serves it.
sphoenixee
Forum Newbie
Posts: 2
Joined: Sun Aug 17, 2008 4:01 pm

Re: How to eliminate direct access to binary data

Post by sphoenixee »

Thanks mordred.

Ok, I will try way 2 then. Any other methods would be very welcome.

Slightly on a tangent, I would I use PHP to display the binary data? Should I set the Content-type and then use readfile (or maybe imagecreatefromxxx for images)? Are there better methods?

Thanks again.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How to eliminate direct access to binary data

Post by Mordred »

readfile() does all the job in a single system call, so you can't go any faster than that with PHP.
richardchaven
Forum Newbie
Posts: 2
Joined: Thu Aug 28, 2008 12:18 am

Re: How to eliminate direct access to binary data

Post by richardchaven »

This is exactly what I am learning to do as well: use PHP to create simple back-end servers to support Flex applications.

I am collecting patterns and examples for a web site (or book?).

Please contribute!
Post Reply