PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Sep 24, 2020 2:24 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Mon Aug 15, 2016 3:25 pm 
Offline
Forum Newbie

Joined: Mon Aug 15, 2016 3:16 pm
Posts: 3
Hi all,

Newbie here looking for some general advice.

I'm going to be working on upgrading an old site which allowed users to create a free account, then create dynamic pdfs based on their input values on a form. To create the pdfs, they have to pay for them. Then, once they create the pdf, the user can see a list of pdfs they've generated and then re-download those pdfs again at any time.

My question is with regard to securing storage of those pdfs in a MySQL database. Right now, there is a directory solely used to store the actual pdfs (the directory's name is random numbers and letters). We are using a hashed index in MySQL to associate with the pdf filename in the pdf directory. We are using external hosting (currently Bluehost).

Any advice with regard to securing that pdf directory so that someone couldn't hack the site and just download all the pdfs that users paid for?

Thanks for ideas!


Top
 Profile  
 
PostPosted: Mon Aug 15, 2016 4:25 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US
Store the PDFs in a directory outside of your webserver's document root, so they are not accessable. Then use PHP do download them. See the PHP manual page for readfile() for an example, but essentially this:
Syntax: [ Download ] [ Hide ]
<?php
$download_path = '/path/to/download/dir/';
$download_file = 'example.pdf';
header("Content-type:application/pdf");
header("Content-Disposition:attachment;filename='$download_file'");
readfile($download_path . $download_file);

_________________
(#10850)


Top
 Profile  
 
PostPosted: Mon Aug 15, 2016 10:38 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
To be clear, are you talking about securing them against users on your site who are not supposed to have access? Or about making them secure on the server because you're using shared hosting and you don't want someone else on the server to be able to locate and read those files?


Top
 Profile  
 
PostPosted: Tue Aug 16, 2016 9:21 am 
Offline
Forum Newbie

Joined: Mon Aug 15, 2016 3:16 pm
Posts: 3


Top
 Profile  
 
PostPosted: Tue Aug 16, 2016 9:59 am 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
.htaccess only affects Apache. You have to do something on the actual filesystem to block users on that machine.

Unfortunately this is tricky and might not even be possible for you to do. It depends on the answer to one question:

If you look at the generated PDFs through FTP or SSH, are the files owned by your personal user account or is it a generic "www-data" or "apache" or "httpd" or similar? This is the same answer to the question of what user account PHP is running as.

If it's your account then that's great: make the PDF directory have permissions 0770 and the generated files have 0660. That's all.
If it's a generic account then you're stuck, and anyone on the server sufficiently motivated will be able to somehow get access to those files (with a bit of work). A simple solution is to store the files elsewhere. Less simple is to store the content in the database (ouch) or to not even store them at all but to re-/generate the content on-the-fly (if possible).

About storing elsewhere:
There are many options but I'll use Amazon S3 as an example. You upload files there, to a place you've made sure is not world-readable. To serve the PDFs you generate a particular signed URL to the file and redirect the user; it grants access to the file for a short time so that same URL will not work a few minutes later.


Top
 Profile  
 
PostPosted: Tue Aug 16, 2016 12:49 pm 
Offline
Forum Newbie

Joined: Mon Aug 15, 2016 3:16 pm
Posts: 3


Top
 Profile  
 
PostPosted: Tue Aug 16, 2016 6:47 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US

_________________
(#10850)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group