Solved

Protecting my files

Posted on 2004-10-08
13
147 Views
Last Modified: 2010-03-04
Hi,

I am running an image and file library web site and they have various restrictions for different users. The location of the files for every category is as such:

docroot/category/images/imagename.jpg
docroot/category/doc/docname.pdf

The web application is in PHP and i have coded it where users will not be able to see the true physical path of the files they are looking at. But however if one is to know the true physical path (eg:docroot/category/images/imagename.jpg
), he can simply enter that path on the url and view the file without even logging into the website. How can i prevent this from happening?

Thanks
0
Comment
Question by:pajiao
  • 6
  • 6
13 Comments
 
LVL 12

Accepted Solution

by:
minichicken earned 250 total points
ID: 12265313
Hi

You can keep all your PDF and JPG file a level outside your webroot (htdocs) folder to prevent any access direct from the URL.

You will need a download.php file with the following code:
*********************************************
<?
if ($_SESSION['user_login'] == true) //check if you login to download the file
{
        $dir = "../download/category/"; //the directory is outside the web root folder, not accessible through web browsers
        $file= $dir.$_GET['file'];
        if (file_exists($file))
        {
              header("Content-type: application/force-download");
              header("Content-Transfer-Encoding: Binary");
              header("Content-length: ".filesize($file));
              header("Content-disposition: attachment; filename=".basename($file). "");
              readfile("$file");
        }
        else
        {
              echo "File does not exisit!"; //If file does not exist print error
        }
}
else
{
       echo "Access Denied!"; //User not logged in print Error
}

?>
*********************************************

On your download page, the link to download the PDFs should look something like this "download.php?file=doc/docname.pdf" and JPG will be something like this "download.php?file=images/imagename.jpg"
0
 

Author Comment

by:pajiao
ID: 12266264
Minichicken,

I agree with the functionality of your code but it still does not solve the problem even if you put into htdocs/download/images or whichever level as if someone knows the path, he can still enter the physical path and get the files such as http://www.mydomain.com/download/images/theimage.jpg

Thanks
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12266617
pajiao

What i mean is that keep the files that you would like to protect OUTSIDE the "htdocs", if you keep it outside, no one can access the files that are outside the htdocs using a browser url.

if you have file INSIDE your htdocs you can just do this: www.mydomain.com/images/the_image.jpg and access the file right?
if you have file OUTSIDE your htdocs no one can go a directory level higher than www.mydomain.com , since www.mydomain.com (your root directory) is the highest directory that the browser can access.

Hope I explain it alright this time....
0
 

Author Comment

by:pajiao
ID: 12273445
minichicken,

Thanks, got it. Right now my downloadable files are inside htdocs. I can move them outside htdocs but all my codes will be implicated. I wonder if i use a soft link, will apache still direct to where the softlink links to? Eg:/htdocs/images where images is a soft link to perhaps /images where the path is outside htdocs and will i still get to /images when i enter http://www.mydomain.com/images ?

Thanks
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12274305
I am not too sure what soft links are :(

As long as your files are OUTSIDE your htdocs, I definitely cannot not able to enter http://www.mydomain.com/images at the address bar and download the file. I think if you keep the files outside the htdocs, it pretty much very safe and protected from a browser.

Of course, you must also remember in the download.php file you need to have some control to check if the user is logged in or not or check for certain conditions. Otherwise people can use something like http://www.mydomain.com/download.php?file=image.jpg to download the file from the address bar. So please remember too put something like user session check or something alike to protect the files.

regards -
0
 

Author Comment

by:pajiao
ID: 12274606
Thanks minichicken, i am aware of that. But due to the complexity of my existing application, i am reluctant to rewrite the code. I m hoping if someone can tell me if entering a soft/symbolic linked directory on the url will bring me to the linked destination. I have tried and fortunately it couldnt, but i hope someone can confirm this.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 12

Expert Comment

by:minichicken
ID: 12274824
Definitely I understand the pain of going through all the pages and change the links.... It a nightmare.

However for a long term solution, I would still recommend that it stored outside to make it more secure. Or other secure methods......

regards - :)
0
 

Author Comment

by:pajiao
ID: 12277263
Can anyone confirm if entering a soft/symbolic linked directory on the url will bring me to the linked destination. I have tried and fortunately it couldnt, but i hope someone can confirm this.
0
 

Author Comment

by:pajiao
ID: 12479364
So far no one has confirmed my final question.
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12480417
Hi pajiao

Sorry, I was unable to confirm with soft/symbolic linked directory part, and was hoping someone to assist me in answering that part of the question.
However, I do believe that I've answered your original question regarding protecting your files from direct download by browser URL.

regards- :)
0
 

Author Comment

by:pajiao
ID: 12483657
yes chicken, maybe i wil give u the points to close it...thanks!
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12483703
Thanks pajiao, greatly appreciated :)
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now