Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Protecting my files

Posted on 2004-10-08
13
Medium Priority
?
155 Views
Last Modified: 2010-03-04
Hi,

I am running an image and file library web site and they have various restrictions for different users. The location of the files for every category is as such:

docroot/category/images/imagename.jpg
docroot/category/doc/docname.pdf

The web application is in PHP and i have coded it where users will not be able to see the true physical path of the files they are looking at. But however if one is to know the true physical path (eg:docroot/category/images/imagename.jpg
), he can simply enter that path on the url and view the file without even logging into the website. How can i prevent this from happening?

Thanks
0
Comment
Question by:pajiao
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
13 Comments
 
LVL 12

Accepted Solution

by:
minichicken earned 750 total points
ID: 12265313
Hi

You can keep all your PDF and JPG file a level outside your webroot (htdocs) folder to prevent any access direct from the URL.

You will need a download.php file with the following code:
*********************************************
<?
if ($_SESSION['user_login'] == true) //check if you login to download the file
{
        $dir = "../download/category/"; //the directory is outside the web root folder, not accessible through web browsers
        $file= $dir.$_GET['file'];
        if (file_exists($file))
        {
              header("Content-type: application/force-download");
              header("Content-Transfer-Encoding: Binary");
              header("Content-length: ".filesize($file));
              header("Content-disposition: attachment; filename=".basename($file). "");
              readfile("$file");
        }
        else
        {
              echo "File does not exisit!"; //If file does not exist print error
        }
}
else
{
       echo "Access Denied!"; //User not logged in print Error
}

?>
*********************************************

On your download page, the link to download the PDFs should look something like this "download.php?file=doc/docname.pdf" and JPG will be something like this "download.php?file=images/imagename.jpg"
0
 

Author Comment

by:pajiao
ID: 12266264
Minichicken,

I agree with the functionality of your code but it still does not solve the problem even if you put into htdocs/download/images or whichever level as if someone knows the path, he can still enter the physical path and get the files such as http://www.mydomain.com/download/images/theimage.jpg

Thanks
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12266617
pajiao

What i mean is that keep the files that you would like to protect OUTSIDE the "htdocs", if you keep it outside, no one can access the files that are outside the htdocs using a browser url.

if you have file INSIDE your htdocs you can just do this: www.mydomain.com/images/the_image.jpg and access the file right?
if you have file OUTSIDE your htdocs no one can go a directory level higher than www.mydomain.com , since www.mydomain.com (your root directory) is the highest directory that the browser can access.

Hope I explain it alright this time....
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:pajiao
ID: 12273445
minichicken,

Thanks, got it. Right now my downloadable files are inside htdocs. I can move them outside htdocs but all my codes will be implicated. I wonder if i use a soft link, will apache still direct to where the softlink links to? Eg:/htdocs/images where images is a soft link to perhaps /images where the path is outside htdocs and will i still get to /images when i enter http://www.mydomain.com/images ?

Thanks
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12274305
I am not too sure what soft links are :(

As long as your files are OUTSIDE your htdocs, I definitely cannot not able to enter http://www.mydomain.com/images at the address bar and download the file. I think if you keep the files outside the htdocs, it pretty much very safe and protected from a browser.

Of course, you must also remember in the download.php file you need to have some control to check if the user is logged in or not or check for certain conditions. Otherwise people can use something like http://www.mydomain.com/download.php?file=image.jpg to download the file from the address bar. So please remember too put something like user session check or something alike to protect the files.

regards -
0
 

Author Comment

by:pajiao
ID: 12274606
Thanks minichicken, i am aware of that. But due to the complexity of my existing application, i am reluctant to rewrite the code. I m hoping if someone can tell me if entering a soft/symbolic linked directory on the url will bring me to the linked destination. I have tried and fortunately it couldnt, but i hope someone can confirm this.
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12274824
Definitely I understand the pain of going through all the pages and change the links.... It a nightmare.

However for a long term solution, I would still recommend that it stored outside to make it more secure. Or other secure methods......

regards - :)
0
 

Author Comment

by:pajiao
ID: 12277263
Can anyone confirm if entering a soft/symbolic linked directory on the url will bring me to the linked destination. I have tried and fortunately it couldnt, but i hope someone can confirm this.
0
 

Author Comment

by:pajiao
ID: 12479364
So far no one has confirmed my final question.
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12480417
Hi pajiao

Sorry, I was unable to confirm with soft/symbolic linked directory part, and was hoping someone to assist me in answering that part of the question.
However, I do believe that I've answered your original question regarding protecting your files from direct download by browser URL.

regards- :)
0
 

Author Comment

by:pajiao
ID: 12483657
yes chicken, maybe i wil give u the points to close it...thanks!
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12483703
Thanks pajiao, greatly appreciated :)
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question