Solved

Protecting my files

Posted on 2004-10-08
13
148 Views
Last Modified: 2010-03-04
Hi,

I am running an image and file library web site and they have various restrictions for different users. The location of the files for every category is as such:

docroot/category/images/imagename.jpg
docroot/category/doc/docname.pdf

The web application is in PHP and i have coded it where users will not be able to see the true physical path of the files they are looking at. But however if one is to know the true physical path (eg:docroot/category/images/imagename.jpg
), he can simply enter that path on the url and view the file without even logging into the website. How can i prevent this from happening?

Thanks
0
Comment
Question by:pajiao
  • 6
  • 6
13 Comments
 
LVL 12

Accepted Solution

by:
minichicken earned 250 total points
ID: 12265313
Hi

You can keep all your PDF and JPG file a level outside your webroot (htdocs) folder to prevent any access direct from the URL.

You will need a download.php file with the following code:
*********************************************
<?
if ($_SESSION['user_login'] == true) //check if you login to download the file
{
        $dir = "../download/category/"; //the directory is outside the web root folder, not accessible through web browsers
        $file= $dir.$_GET['file'];
        if (file_exists($file))
        {
              header("Content-type: application/force-download");
              header("Content-Transfer-Encoding: Binary");
              header("Content-length: ".filesize($file));
              header("Content-disposition: attachment; filename=".basename($file). "");
              readfile("$file");
        }
        else
        {
              echo "File does not exisit!"; //If file does not exist print error
        }
}
else
{
       echo "Access Denied!"; //User not logged in print Error
}

?>
*********************************************

On your download page, the link to download the PDFs should look something like this "download.php?file=doc/docname.pdf" and JPG will be something like this "download.php?file=images/imagename.jpg"
0
 

Author Comment

by:pajiao
ID: 12266264
Minichicken,

I agree with the functionality of your code but it still does not solve the problem even if you put into htdocs/download/images or whichever level as if someone knows the path, he can still enter the physical path and get the files such as http://www.mydomain.com/download/images/theimage.jpg

Thanks
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12266617
pajiao

What i mean is that keep the files that you would like to protect OUTSIDE the "htdocs", if you keep it outside, no one can access the files that are outside the htdocs using a browser url.

if you have file INSIDE your htdocs you can just do this: www.mydomain.com/images/the_image.jpg and access the file right?
if you have file OUTSIDE your htdocs no one can go a directory level higher than www.mydomain.com , since www.mydomain.com (your root directory) is the highest directory that the browser can access.

Hope I explain it alright this time....
0
 

Author Comment

by:pajiao
ID: 12273445
minichicken,

Thanks, got it. Right now my downloadable files are inside htdocs. I can move them outside htdocs but all my codes will be implicated. I wonder if i use a soft link, will apache still direct to where the softlink links to? Eg:/htdocs/images where images is a soft link to perhaps /images where the path is outside htdocs and will i still get to /images when i enter http://www.mydomain.com/images ?

Thanks
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12274305
I am not too sure what soft links are :(

As long as your files are OUTSIDE your htdocs, I definitely cannot not able to enter http://www.mydomain.com/images at the address bar and download the file. I think if you keep the files outside the htdocs, it pretty much very safe and protected from a browser.

Of course, you must also remember in the download.php file you need to have some control to check if the user is logged in or not or check for certain conditions. Otherwise people can use something like http://www.mydomain.com/download.php?file=image.jpg to download the file from the address bar. So please remember too put something like user session check or something alike to protect the files.

regards -
0
 

Author Comment

by:pajiao
ID: 12274606
Thanks minichicken, i am aware of that. But due to the complexity of my existing application, i am reluctant to rewrite the code. I m hoping if someone can tell me if entering a soft/symbolic linked directory on the url will bring me to the linked destination. I have tried and fortunately it couldnt, but i hope someone can confirm this.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 12

Expert Comment

by:minichicken
ID: 12274824
Definitely I understand the pain of going through all the pages and change the links.... It a nightmare.

However for a long term solution, I would still recommend that it stored outside to make it more secure. Or other secure methods......

regards - :)
0
 

Author Comment

by:pajiao
ID: 12277263
Can anyone confirm if entering a soft/symbolic linked directory on the url will bring me to the linked destination. I have tried and fortunately it couldnt, but i hope someone can confirm this.
0
 

Author Comment

by:pajiao
ID: 12479364
So far no one has confirmed my final question.
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12480417
Hi pajiao

Sorry, I was unable to confirm with soft/symbolic linked directory part, and was hoping someone to assist me in answering that part of the question.
However, I do believe that I've answered your original question regarding protecting your files from direct download by browser URL.

regards- :)
0
 

Author Comment

by:pajiao
ID: 12483657
yes chicken, maybe i wil give u the points to close it...thanks!
0
 
LVL 12

Expert Comment

by:minichicken
ID: 12483703
Thanks pajiao, greatly appreciated :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now