?
Solved

File Sharing application

Posted on 2005-05-04
20
Medium Priority
?
312 Views
Last Modified: 2008-03-06
I would like to develop a file sharing application with php, it will be able to let user to upload some docs to the web folder, and authorized user can download the file after login (the file type are doc, pdf).

However, how should I set the security mode for the file? if an unauthorized user know the path for an uploaded doc, he can simply type the link in the browser and get the file..so what should I do? Please help. Or it is impossible?

Should I implement it thru ftp..? If so, how should I set? Please advise...

0
Comment
Question by:esther_6694
  • 4
  • 4
  • 4
  • +3
19 Comments
 
LVL 16

Expert Comment

by:alain34
ID: 13926325
I will recommend that you store each file in a database as opposed to a webfolder.
If the file are store in a database (in a blob field), you can defined easely administration rule on who and how people can upload and download.
0
 
LVL 20

Accepted Solution

by:
virmaior earned 500 total points
ID: 13926733
alain34- While the security is easier to control via a DB, they don't store files very well.  So I wouldn't recommend storing them in a DB since the files themselves don't behave as nicely.  It's really best to store the paths of the files in the DB and maintain the security/management benefits there while keeping the files out of the DB.

instead, keep the files in folder structures and use an htaccess file and 2 php pages to control the process.
1. page to present the directory tree as the person is allowed to see it.
2. page to allow for the download of files.

the second page provides the security by doing DB checks on each attempted download.  You can even leave the downloads to the native path just by using a combination of .htaccess and php (this method assumes you use Apache as your webserver).

here's the .htaccess element:

ReWriteEngine On
RewriteRule ^/?([^/]*\.*?|[^\./]*)[:;,\.]*$ /downloadengine/download.php [L,NS]

(place this is the root of your shared folder system)

in php, do the following as download.php:

if ($_SESSION['usergroups'][0] == 'y') //check if you login to download the file
{
  $file = $_SERVER['DOCUMENT_ROOT'] . $_SERVER['REQUEST_URI'];      
        if (file_exists($file))
        {
              header("Content-Type: application/pdf");
                    header("Content-Type: application/force-download");
                    header('Content-location: ' . $_SERVER['REQUEST_URI']);
                    header('Content-Transfer-Encoding: Binary');
              readfile("$file");
        } else {
            if ($_SESSION['usergroups'][7] == 'y') { echo 'File Not Found'; } else { include 'error.php'; }
            }
} else {  include "error.php";   }

(in my system I only check a session for rights, you can replace this with any sort of db checking).

for the other file, I'd suggest looking at the glob function in the file system
particularly
foreach (glob('*.*') as $bob)
{
  echo $bob . '<BR \>';
}
0
 
LVL 16

Expert Comment

by:alain34
ID: 13926896
virmaior it is your point of view.
I believe it is easier in a DB!
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Assisted Solution

by:gruntar
gruntar earned 500 total points
ID: 13926940
I strongly dissuade you from storing files in database. It is far more easyer to manage files that database (unless you own server). Simple solution is to protect folder with files using .htaccess.

Than you have one script that reads requested file. That way you have easy to manage (using ftp for backup) ans secure application.

Check solution http:Q_21330262.html

cheers
0
 
LVL 9

Expert Comment

by:gruntar
ID: 13926964
alain34, can you imagine backuping 200 megs of sql data (with phpmyadmin) on shared server?

cheers
0
 
LVL 16

Expert Comment

by:alain34
ID: 13927117
how do you know esher 669 has 200meg of data
0
 
LVL 9

Expert Comment

by:gruntar
ID: 13927362
:)

how do you know esher 669 won't have 200meg of data?
0
 
LVL 4

Expert Comment

by:Kooroo
ID: 13928735
just put the file somewhere outside the webserver's document root. Then anonymous user can't just read the file out. So long as the web service acct has read access to that file, you can use

$file = "absolute system path to file";
header("Content-Description: File Transfer");
header("Content-Type: application/force-download");
header("Content-Disposition: attachment; filename=".basename($file));
@readfile($file);

and it will spit the file out to the browser when that code is executed. You can control access then via php control structures or logic.
Change content-type header field if you want the browser to recognize the file type.

cheers!
0
 
LVL 16

Expert Comment

by:alain34
ID: 13930523
200meg of database or files is still 200 meg!!
No difference in size!
0
 
LVL 4

Expert Comment

by:Kooroo
ID: 13930921
I don't think entering files into a database would provide any benefit here.

The files already sit inside a searchable, seekable, data structure many times faster than mysql. It's the filesystem. Database user permissions don't come into effect because there's only one system user doing all the work. It's probably called (www) or (NT_NETWORK_SERVICE). There aren't concurrent updates or write so a database locking mechanism isn't being used. The filesystem already holds an index table based off filename, and memory caching is built into every major filesystem for the past 5 years. While binary blobs have their place, I don't think it applies here. This is just my opinion but I think it makes sense.

The OPs concern is to prevent people who know the filename to punch the location into a browser and download willy nilly. Solution, keep the documents outside of the document root and let php handle permissions and delivery.

example:
web directory is in /home/esther/www/
put the downloadables in /home/esther/downloads/

so assuming we have a file called "cheesypoofs.xls" in /home/esther/downloads.

a script cheesypoofs.php consisting of :

$file = "/home/esther/downloads/cheesypoofs.xls";
header("Content-Description: File Transfer");
header("Content-Type: application/force-download");
header("Content-Disposition: attachment; filename=".basename($file));
@readfile($file);

will let users download the cheesypoofs.xls file.
changing the value of $file will, obviously, refer to a different file and can be dynamically obtained...possibly from a small database record.
dropping control structures like "if","while" etc will let the OP fine tune access or behavior. it's a pretty handy piece of code to have around.
0
 
LVL 4

Expert Comment

by:Kooroo
ID: 13930934
ps - if you're assigning points for my above statement, they should goto virmajor, he said it first, except he includes all the code.
0
 

Author Comment

by:esther_6694
ID: 13932490
Thanks for all of your professional comments. I decided to go to virmaior's solution (and other related assist solutions as well) as I do want to keep the features associated in a real file system.

However, I would like to ask...
1. if I store the file outside the document root, how the php in document root what files are in the sharing list? do you mean I have to store both the filename, physical location and who can access the file in db?

2. what mode should I set for the sharing files? (chmod to what?) just leave it 755?

Sorry for my stupid questions..
0
 

Author Comment

by:esther_6694
ID: 13932553
One more question..so if a image-based file is uploaded for sharing, what php function can I use for preview for that image? (imagegif? imagejpeg?) how about swf file?
0
 
LVL 9

Expert Comment

by:gruntar
ID: 13933184
esther 6694, you don't have to put files outside document root. All you have to do is put a .htaccess file in a folder that you want to protect. Put this code in it

<limit GET POST>
  order deny,allow
  deny from all
</limit>

this would block access to your folder.

cheers
0
 

Author Comment

by:esther_6694
ID: 13933412
I've added

ReWriteEngine On
RewriteRule ^/?([^/]*\.*?|[^\./]*)[:;,\.]*$ /downloadengine/download.php [L,NS]

as per virmaior's suggestion in the folder, it seems it can limit access only to a specific php.. should I set the folder to 777? as my system would allow upload file too, and file copy from php need the desitination folder to be open to public ..., will 777 incompatible with the htaccess settings? please advise.
0
 
LVL 20

Expert Comment

by:virmaior
ID: 13935351
the solution I (and the other experts) showed you provides the way that files are DOWNLOADED.
controlling how they are previewed and/or uploaded are two separate issues.

1.  how you set the chmod on the folders won't affect the download script as it works through php and only needs open rights.

2. to make previews of images, you would want to do an imagecopyresampled() (http://us3.php.net/manual/en/function.imagecopyresampled.php)...
to make previews of video files or swf files, you will probably have to resort to some other means (I don't know off hand)


3. upload functionality and being public sounds more like an anonymous ftp site than somewhere that there's any need for php.  What's the point of securing who can download if anyone can upload?  
You should make a page that shows previous/file names for everything a user can see.
0
 

Author Comment

by:esther_6694
ID: 13941811
Hi virmaior,

My system would have 2 level of users- modulator & viewer, and my php would allow only modulator to upload files (use of session to check whether upload is possible for that user).

the file uploaded would properly copy to the sharing folder[outside document root] by move_uploaded_file, but I need to change the mode of sharning folder to 777.

I do not familiar with mode setting / htaccess on apache/linux..I just wonder whether it will not be safe enough that someone may easily get upload/download things from the folder under the above settings...please kindly advise...  
0
 
LVL 20

Expert Comment

by:virmaior
ID: 13942547
that should be fine (afaik- I use win32 but exposing the temp directory shouldn't be all that dangerous unless you blindly copy everything you find there)
0
 
LVL 14

Expert Comment

by:huji
ID: 16208386
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: virmaior & gruntar

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Huji
EE Cleanup Volunteer
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses
Course of the Month16 days, 19 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question