File upload / Download for authenticated users


The following assumes I have an a user in an authenticated session..

I understand how an upload to a file directory works.. What I want to know is how once that file is uploaded, do I only make it available to that user..

Say I upload it to:

Whats to stop another user trying to download that file if they guess the URL? how do I make it a little more secure with my php / mysql site & authentication so only that user can download the file? Should I store it in the MySql database or can some security be implemented at the file system level..


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
check this out:

and you will need to refer the location of your htpasswd file in your httpd.conf

hope this helps.
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

BrettskiWorkAuthor Commented:
re: http:Q_21131507.html

so what url shows up on the download then if it is a url that can't be directly accessed? Or does just the filename show?
you can use download.php?file=/user1/file.doc as URL and implement that check in download.php
but if you do that, the user will know the location of the file right?
unless, you password-protect that folder,
and also do the checking in download.php, then it will do double authentication...
What I usualy do is to store in a DB which user has uploaded what. I save the files in one directory where the direct access through http is denied or say outside the web space.
so in the DB I have
file_id auto_increment

and then the download should go through a php script say
in that file you have to check if the file with ID 5 is uploaded by this user and then pass the file
$file is the file name from the DB
$uploaddir is the directory of the uploaded files
header("Content-type: application/x-something");
header("Content-Disposition: attachment; filename=".$file);
$filename = $uploaddir.$file;
if (file_exists($filename))

you have to be careul though...
how about something like this..... just a guide, fill in the coding

for uploading.....

$save_file_as = md5($password.$upload_filename).$user; /* save the file as an extensionless md5 hash lets see someone (a) guess the name and (b) be able to access it through a browser */
$add_file_name_to_user_db = $upload_filename; /* save the real filename to the user database for accessing it later */

for accessing the file.......

$temp_filename = md5($password.$filename_from_user_db).$user); /* recreate our md5 hash */
copy($temp_filename,$filename_from_user_db); /* create a copy of the extensionless md5 hash file and save it as our filename*/

now you have a copy to play with, just remember to delete it when you have finished using it, even better read the $temp_filename into a tmpfile() and the copy will delete itself at end of script (or with fclose), you can even perform rollback operations etc if you append the file.
BrettskiWorkAuthor Commented:
Well, sounds like its a little "hacky" anyway we go..

naskovoto ?? Why did you say you have to be careful with your script?

May end up just storing them in a database, maybe an easier way to go, and I can do things like version control etc..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.