Solved

Protecting my files

Posted on 2004-10-08
13
154 Views
Last Modified: 2010-03-04
Hi,

I am running an image and file library web site and they have various restrictions for different users. The location of the files for every category is as such:

docroot/category/images/imagename.jpg
docroot/category/doc/docname.pdf

The web application is in PHP and i have coded it where users will not be able to see the true physical path of the files they are looking at. But however if one is to know the true physical path (eg:docroot/category/images/imagename.jpg
), he can simply enter that path on the url and view the file without even logging into the website. How can i prevent this from happening?

Thanks
0
Comment
Question by:pajiao
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
13 Comments
 
LVL 12

Accepted Solution

by:
minichicken earned 250 total points
ID: 12265313
Hi

You can keep all your PDF and JPG file a level outside your webroot (htdocs) folder to prevent any access direct from the URL.

You will need a download.php file with the following code:
*********************************************
<?
if ($_SESSION['user_login'] == true) //check if you login to download the file
{
        $dir = "../download/category/"; //the directory is outside the web root folder, not accessible through web browsers
        $file= $dir.$_GET['file'];
        if (file_exists($file))
        {
              header("Content-type: application/force-download");
              header("Content-Transfer-Encoding: Binary");
              header("Content-length: ".filesize($file));
              header("Content-disposition: attachment; filename=".basename($file). "");
              readfile("$file");
        }
        else
        {
              echo "File does not exisit!"; //If file does not exist print error
        }
}
else
{
       echo "Access Denied!"; //User not logged in print Error
}

?>
*********************************************

On your download page, the link to download the PDFs should look something like this "download.php?file=doc/docname.pdf" and JPG will be something like this "download.php?file=images/imagename.jpg"
0
 

Author Comment

by:pajiao
ID: 12266264
Minichicken,

I agree with the functionality of your code but it still does not solve the problem even if you put into htdocs/download/images or whichever level as if someone knows the path, he can still enter the physical path and get the files such as http://www.mydomain.com/download/images/theimage.jpg

Thanks
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12266617
pajiao

What i mean is that keep the files that you would like to protect OUTSIDE the "htdocs", if you keep it outside, no one can access the files that are outside the htdocs using a browser url.

if you have file INSIDE your htdocs you can just do this: www.mydomain.com/images/the_image.jpg and access the file right?
if you have file OUTSIDE your htdocs no one can go a directory level higher than www.mydomain.com , since www.mydomain.com (your root directory) is the highest directory that the browser can access.

Hope I explain it alright this time....
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:pajiao
ID: 12273445
minichicken,

Thanks, got it. Right now my downloadable files are inside htdocs. I can move them outside htdocs but all my codes will be implicated. I wonder if i use a soft link, will apache still direct to where the softlink links to? Eg:/htdocs/images where images is a soft link to perhaps /images where the path is outside htdocs and will i still get to /images when i enter http://www.mydomain.com/images ?

Thanks
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12274305
I am not too sure what soft links are :(

As long as your files are OUTSIDE your htdocs, I definitely cannot not able to enter http://www.mydomain.com/images at the address bar and download the file. I think if you keep the files outside the htdocs, it pretty much very safe and protected from a browser.

Of course, you must also remember in the download.php file you need to have some control to check if the user is logged in or not or check for certain conditions. Otherwise people can use something like http://www.mydomain.com/download.php?file=image.jpg to download the file from the address bar. So please remember too put something like user session check or something alike to protect the files.

regards -
0
 

Author Comment

by:pajiao
ID: 12274606
Thanks minichicken, i am aware of that. But due to the complexity of my existing application, i am reluctant to rewrite the code. I m hoping if someone can tell me if entering a soft/symbolic linked directory on the url will bring me to the linked destination. I have tried and fortunately it couldnt, but i hope someone can confirm this.
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12274824
Definitely I understand the pain of going through all the pages and change the links.... It a nightmare.

However for a long term solution, I would still recommend that it stored outside to make it more secure. Or other secure methods......

regards - :)
0
 

Author Comment

by:pajiao
ID: 12277263
Can anyone confirm if entering a soft/symbolic linked directory on the url will bring me to the linked destination. I have tried and fortunately it couldnt, but i hope someone can confirm this.
0
 

Author Comment

by:pajiao
ID: 12479364
So far no one has confirmed my final question.
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12480417
Hi pajiao

Sorry, I was unable to confirm with soft/symbolic linked directory part, and was hoping someone to assist me in answering that part of the question.
However, I do believe that I've answered your original question regarding protecting your files from direct download by browser URL.

regards- :)
0
 

Author Comment

by:pajiao
ID: 12483657
yes chicken, maybe i wil give u the points to close it...thanks!
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12483703
Thanks pajiao, greatly appreciated :)
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question