virtual_odin Posted October 19, 2008 Share Posted October 19, 2008 I'm trying to create secure document storage for my users. In general, access to the secure area (more than this docs area) is by a username and password stored in a MySQL database (md5 encoded) and session variables to create just one login. Each page tests the session variables are correct and this seems to be working fine. I'd like the same credentials to determine access to the documents directory. I've coded that from the php pages which pull up the documents, but the directory itself, has to be CHMOD 777 in order to allow the uploads, so is there for all to see, if they knew where to look. So the question: is there a way to protect the files in this directory using the session credentials. I don't want to use .htaccess because it would mean aonther log-in for my users. Grateful for any thoughts. Tim Link to comment https://forums.phpfreaks.com/topic/129056-solved-security-on-document-storage/ Share on other sites More sharing options...
ratcateme Posted October 19, 2008 Share Posted October 19, 2008 how about moving the files outside the web directory so say the web directory looks like this /web/admin_files/ to access the admin files you put in http://localhost/admin_files/ what about if you moved the files to /admin_files/ so they are outside the web directory then put a script like <?php //download.php //session check $file = $_GET['file']; $exts = array('doc' => 'application/msword','xls' => 'application/excel'); $ext = substr($file,strrpos($file,'.')+1); $mime = isset($exts[$ext])?$exts[$ext]:"text/plain"; header("Content-Type: {$mime}"); readfile("/admin_file/{$file}"); ?> so rather than linking the users to the actual file you link them to download.php?file=filename for the mime types you can get a list from http://www.webmaster-toolkit.com/mime-types.shtml Scott. Link to comment https://forums.phpfreaks.com/topic/129056-solved-security-on-document-storage/#findComment-669090 Share on other sites More sharing options...
virtual_odin Posted October 19, 2008 Author Share Posted October 19, 2008 Thanks Scott. I'd done the scripting bit and I once knew that I should use a directory outside the web directory; but had forgotten! Part of the reason for the forgetfulness is that on the host I have it is really tightly locked down (error: open_basedir restriction in effect), but I'll have to investigate opening up the permissions. Tim Link to comment https://forums.phpfreaks.com/topic/129056-solved-security-on-document-storage/#findComment-669106 Share on other sites More sharing options...
ratcateme Posted October 19, 2008 Share Posted October 19, 2008 what about putting them in a directory inside your webroot with a .htaccess denying all access so then php can access them and nothing else. Scott,. Link to comment https://forums.phpfreaks.com/topic/129056-solved-security-on-document-storage/#findComment-669110 Share on other sites More sharing options...
virtual_odin Posted October 19, 2008 Author Share Posted October 19, 2008 Thanks, but I have mastered storing the files outside the web root bit on my host. Turned out not to be half as difficult as I had thought it would be; perhaps it is in one of the more recent Plesk upgrades. Double bonus, I have put my MySQL credentials in a similar folder, which I had always known was good practice but had struggled to deliver. Now I have to do the same for my other sites... Tim Link to comment https://forums.phpfreaks.com/topic/129056-solved-security-on-document-storage/#findComment-669115 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.