Create PDF from JSON File - Security Issue


I have completed a php form when once submitted it writes a json file to the "files/" folder, and the user can create a PDF file by clicking on the link (see code below)
I am concerned about security as the JSON files saved in the "files/" folder will contain sensitive information on the server.

Can anyone advise the best practice to manage/improve this situation?
Hope this makes sense :)

 <!-- Print Receipt to PDF, Write Form Values to JSON file and Create PDf on the Fly when link is clicked -->
$arr = ['pfn' => $pfirstname, 'pln' => $plastname, 'pa1' => $paddress1, 'pa2' => $paddress2, 'ptv' => $ptownvillage, 'pec' => $postcode, 'amo' => $amount];
$temp_name = uniqid(rand(), true) . '.json';
file_put_contents('/var/www/MyWebsite/files/' . $temp_name, json_encode($arr));        
<?php echo '<a href="https://mywebsite/pdf.php?q=files/' . $temp_name . '" target="_blank">Download PDF</a>'; ?>

Open in new window

F GraceAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Peos JohnPHPCommented:
You can protect your "files" folder using .htaccess
Ray PaseurCommented:
Just a thought for going forward... You can add multiple topic areas to your questions.  Since this is at least partially a PHP question, you can add the PHP topic area.  You will get more eyes on the question if you have more topic areas (assuming they are relevant topic areas).  There is also a "related question" feature hidden somewhere in this site -- you might ask E-E customer support how to find that.  As I understand it, the related questions will be somehow linked so that askers and answerers can follow a chain of ideas from question to question.

In the instant case (sensitive information) there are a couple of common design patterns.  First, there is client authentication and authorization. This article teaches the basics.  If you're handling sensitive information your clients will usually accept the modest inconvenience of being asked to register and log in.  The article shows how to "remember" their login with HTTP cookies, so the inconvenience is minimized.

If you want an extra layer of security, you can put the files with sensitive data into a directory that is outside of the WWW root directory tree.  The strategy here is to make the files unavailable to a browser that visits the site.  In order to read the files, your client must go through a PHP script that is password protected.

You can add other layers of security (it's an endless subject) but these two steps will probably suffice.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
stale question
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.