Solved

Protecting my files

Posted on 2004-10-08
13
152 Views
Last Modified: 2010-03-04
Hi,

I am running an image and file library web site and they have various restrictions for different users. The location of the files for every category is as such:

docroot/category/images/imagename.jpg
docroot/category/doc/docname.pdf

The web application is in PHP and i have coded it where users will not be able to see the true physical path of the files they are looking at. But however if one is to know the true physical path (eg:docroot/category/images/imagename.jpg
), he can simply enter that path on the url and view the file without even logging into the website. How can i prevent this from happening?

Thanks
0
Comment
Question by:pajiao
  • 6
  • 6
13 Comments
 
LVL 12

Accepted Solution

by:
minichicken earned 250 total points
ID: 12265313
Hi

You can keep all your PDF and JPG file a level outside your webroot (htdocs) folder to prevent any access direct from the URL.

You will need a download.php file with the following code:
*********************************************
<?
if ($_SESSION['user_login'] == true) //check if you login to download the file
{
        $dir = "../download/category/"; //the directory is outside the web root folder, not accessible through web browsers
        $file= $dir.$_GET['file'];
        if (file_exists($file))
        {
              header("Content-type: application/force-download");
              header("Content-Transfer-Encoding: Binary");
              header("Content-length: ".filesize($file));
              header("Content-disposition: attachment; filename=".basename($file). "");
              readfile("$file");
        }
        else
        {
              echo "File does not exisit!"; //If file does not exist print error
        }
}
else
{
       echo "Access Denied!"; //User not logged in print Error
}

?>
*********************************************

On your download page, the link to download the PDFs should look something like this "download.php?file=doc/docname.pdf" and JPG will be something like this "download.php?file=images/imagename.jpg"
0
 

Author Comment

by:pajiao
ID: 12266264
Minichicken,

I agree with the functionality of your code but it still does not solve the problem even if you put into htdocs/download/images or whichever level as if someone knows the path, he can still enter the physical path and get the files such as http://www.mydomain.com/download/images/theimage.jpg

Thanks
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12266617
pajiao

What i mean is that keep the files that you would like to protect OUTSIDE the "htdocs", if you keep it outside, no one can access the files that are outside the htdocs using a browser url.

if you have file INSIDE your htdocs you can just do this: www.mydomain.com/images/the_image.jpg and access the file right?
if you have file OUTSIDE your htdocs no one can go a directory level higher than www.mydomain.com , since www.mydomain.com (your root directory) is the highest directory that the browser can access.

Hope I explain it alright this time....
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:pajiao
ID: 12273445
minichicken,

Thanks, got it. Right now my downloadable files are inside htdocs. I can move them outside htdocs but all my codes will be implicated. I wonder if i use a soft link, will apache still direct to where the softlink links to? Eg:/htdocs/images where images is a soft link to perhaps /images where the path is outside htdocs and will i still get to /images when i enter http://www.mydomain.com/images ?

Thanks
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12274305
I am not too sure what soft links are :(

As long as your files are OUTSIDE your htdocs, I definitely cannot not able to enter http://www.mydomain.com/images at the address bar and download the file. I think if you keep the files outside the htdocs, it pretty much very safe and protected from a browser.

Of course, you must also remember in the download.php file you need to have some control to check if the user is logged in or not or check for certain conditions. Otherwise people can use something like http://www.mydomain.com/download.php?file=image.jpg to download the file from the address bar. So please remember too put something like user session check or something alike to protect the files.

regards -
0
 

Author Comment

by:pajiao
ID: 12274606
Thanks minichicken, i am aware of that. But due to the complexity of my existing application, i am reluctant to rewrite the code. I m hoping if someone can tell me if entering a soft/symbolic linked directory on the url will bring me to the linked destination. I have tried and fortunately it couldnt, but i hope someone can confirm this.
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12274824
Definitely I understand the pain of going through all the pages and change the links.... It a nightmare.

However for a long term solution, I would still recommend that it stored outside to make it more secure. Or other secure methods......

regards - :)
0
 

Author Comment

by:pajiao
ID: 12277263
Can anyone confirm if entering a soft/symbolic linked directory on the url will bring me to the linked destination. I have tried and fortunately it couldnt, but i hope someone can confirm this.
0
 

Author Comment

by:pajiao
ID: 12479364
So far no one has confirmed my final question.
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12480417
Hi pajiao

Sorry, I was unable to confirm with soft/symbolic linked directory part, and was hoping someone to assist me in answering that part of the question.
However, I do believe that I've answered your original question regarding protecting your files from direct download by browser URL.

regards- :)
0
 

Author Comment

by:pajiao
ID: 12483657
yes chicken, maybe i wil give u the points to close it...thanks!
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12483703
Thanks pajiao, greatly appreciated :)
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question