[SOLVED] Paper upload security problem

[plodos]

<?
include('dbconfig.php');
if(isset($_FILES['paper'])){

$file_name = $_FILES['paper']['name'];
$file_ext = strtolower(substr($file_name,strrpos($file_name,".")));

$q		= "insert into paper set title='{$_REQUEST['title']}',  ext='$file_ext', user='{$_SESSION['id']}' ";
$result	    = mysql_query($q);

$fid		= mysql_insert_id();
move_uploaded_file($_FILES['paper']['tmp_name'], 'sweet_papers/'.$fid.$file_ext);

header('Location: http://'.$_SERVER['SERVER_NAME'].'/my_papers.php');
}
?>

this code is saving the file inside of the sweet_papers with mysql insert id(file name)

like

 

http://www.mmmmmm.com/sweet_papers/67.pdf

http://www.mmmmmm.com/sweet_papers/68.pdf

http://www.mmmmmm.com/sweet_papers/69.pdf

 

im using this for list the papers my_papers.php

<? 
$q		= "select paper.* from paper where paper.user={$_SESSION['id']} order by id desc";
$result	= mysql_query($q);
$opstr=array();
while($row=mysql_fetch_array($result)){
$opstr[]="<a href='sweet_papers/{$row['id']}{$row['ext']}'>{$row['title']}</a>";
}

 

but everytbody can read this papers

type the URL http://www.mmmmmm.com/sweet_papers/69.pdf you can read.

 

how can I prevent this files from unwanted users.

also I used Options -Indexes .htaccess for directory listing but is is not enough  :-\

[ngreenwood6]

Why don't you create a login section where only someone with a username and password can access the files?

[plodos]

i have the login system but

if someone type the URL this link http://www.mmmmmm.com/sweet_papers/67.pdf    they can see the contents.

 

but http://www.mmmmmm.com/admin.php it is ptotect with sessions

or http://www.mmmmmm.com/users.php

 

how can I protect these papers

[dennismonsewicz]

I am assuming you are using sessions to control your login information. Just put something like this at the top of your screen

 

if(!$_SESSION) {
//code displaying you must be logged in to view these papers
} else {
//code displaying paper
}

[PFMaBiSmAd]

You need to dynamically output the documents using a php script. The link you porvide will be to that php script with a parameter on the end of the url that indicates which document should be output. That php script will check if the visitor making the request for that document is logged in and is permitted to access that document (in case you have access levels or limit access to "owners" of each document.) If the visitor is allowed to access the document that was requested, then the php script will output any necessary headers and read the correct document and output it to the browser. You will then need to disable browser access to the folder where the documents are located. The best was to do this is to move the folder to be outside your document root folder (closer to the root of the disk.) The second best way is to put a .htaccess file in the folder that prevents all http requests to the files in the folder.

[plodos]

function gen_trivial($len = 6)
{
    $r = '';
    for($i=0; $i<$len; $i++)
        $r .= chr(rand(0, 25) + ord('a'));
    return $r;
}

$basename = gen_trivial();
$mypath="sweet_papers/$basename";
        mkdir($mypath,0777,TRUE);
/**************************************************************/	
$now = time();
    $date = date("Y-m-d H:i:s",$now);

$file_name = $_FILES['paper']['name'];
$file_ext = strtolower(substr($file_name,strrpos($file_name,".")));

$q		= "insert into paper set title='{$_REQUEST['title']}',  path='{$basename}' ,user='{$_SESSION['id']}',
status='New', datum='$date' ";
$result	    = mysql_query($q);

$fid		= mysql_insert_id();


move_uploaded_file($_FILES['paper']['tmp_name'], 'sweet_papers/'.$basename.'/'.$fid.$file_ext); ?>

 

http://mmmmmmmmmm.com/sweet_papers/fxfxhe/69.pdf

I make another directory inside of the seet_papers

 

now the other users must guess the base directory name, paper name

 

and also I change the listing papers like

<a href='sweet_papers/{$row['path']}/{$row['id']}{$row['ext']}'>{$row['title']}</a>

 

also I used Options -Indexes .htaccess for close directory listing

is it good method?