Help with php permissions and file access

[lordrain11]

Hello, I am a moderate php user and for a new site I am working on have come across something that I haven't had to do before. Users on the site can upload personal documents, .doc, .xls, .mp3, etc. files to the site for storage. The files are copied to a directory and the locations are inserted into the mysql table, nothing tricky there. My question is this though... I want to password protect the directory and files so that only the person who uploaded the files can view them. When users login I use php to create a session, each page of the member area checks to make sure there is a session, thats how I handle the uploads for example. How can I password protect the directory from everyone else, but allow the user to see it if they are logged in. I don't want the seperate login screen to popup, like you are logging onto a control panel because my users will have already loged on to the site, I want to do this part all behind the scenes. I further would like to do a similar thing with the individual files themselves.

My first thought was to change the permissions. I didn't want to do this at the directory level though since if I changed it back for one user, then until that user was done everyone would have access to the directory. SO I thought I'd user permissions on the files. SO when the file is uploaded I set the permissions to 0, no one has access. Then when the user is logged in and click to view their file, the php can change the permission to 777 or something in between and let them look at the file. This works, but then I am stuck with how do I make sure the files get the permissions changed back to 0 when the user is done. To do it in php there needs to be an action and I don't want to trust the user that they will click another link. I also don't like the idea of people being able to go to htt://www.mypage.com/filedir/ and being able to see the list of files even if they are protected by permissions. How can I get around my problem, or is there a better way to do this that is standard? The files are very sensitive so security is a big concern here.

Also, and words of advice on how to protect the server from users uploading viruses? Thanks so much, I am very appreciative of any help.

[phpstuck]

If I am reading correctly... Don't let them view the files on the directory itself. I would add the users ID number from your users table to thier session. When they upload a file, enter the file name along with thier username and id into that database, this way each file is associated with a user. THen when a user wants to view thier files you can create a page that will only pull files names associated with the logged in user and echo them as a link for download. Close the entire directory with permissions or by inserting an index page into it.

[lordrain11]

WHat you said about combining the user id with the file name is actually what I am doing already. And I understand that by putting an index page up it will block the directory. But these are very sensitive files, isn't this still a security risk? Can't someone experienced still find the file names in the directory and then get the files by just typing them in? There has to be some more security I cna add. Thanks.

[dptr1988]

This is the way I would do it. Block you protected directory from all internet access, and make a PHP script that will get the files for them out of the protected directory and send them to the user with the standard send header/readfile() method. That routes all of the file access through you PHP script, which can authitcate the users. About the index page method, it is NOT secure at all!. All it will do is keep users from viewing the directory. Anybody can access a file if they know the filename.

[lordrain11]

By block the directory from internet access do you mean with permissions? What number would accomplish that? Then how can I have the php get around that block? Also, any detail on the send header/readfile() method would be great as I am not familar with this. Thanks.