Jump to content

User based PDF file access

65bit

By 65bit
in PHP Coding Help

 Share

Recommended Posts

65bit Newbie

65bit

Posted
Posted

I'm new to PHP & MySQL (which we have running on IIS6) and am looking for some ideas / concepts on how I might go about controlling user and account based access to PDF files.

 

Our current directory structure has a folder for each account number, with many individual PDF files (one per user) under each account.  I need to be able to (1) limit a “regular user” who has authenticated against the MySQL db to only viewing their PDF file and (2) limit access to an “account manager” user to only viewing that account’s PDF’s.  I’d like to not have to use any of Window’s security, instead relying on MySQL.

 

Among other things, the user table record currently contains a user id, their PDF file name and the account number they belong to.  An account manager table contains the account number and the manager’s id. 

 

In playing around, I can login as a user, grab the name of their PDF file from the user table and present it in the browser.  Unfortunately, the current PDF naming convention is just a static set of characters followed by an incrementing number.  If I simply ratchet the number up or down, I’m looking at someone else’s PDF.

 

I’ve considered naming each physical PDF file and its reference name in the table to some random 30 – 40 characters.  The chances of anyone guessing another valid link should be extremely small (but not 0).  There’s part of me though that thinks all that does is make it hard to guess and not really secure.  Maybe I should be thinking ‘hard to guess’ = secure?

 

I’ve also considered storing the PDF file as binary data in a blob and presenting it from there.  Then the actual PDF files wouldn’t even exist on the web server.  Each user would only get theirs and I can see a path to allow the account manager to see of their PDF’s as appropriate.  But, much most of what I read seems to say to stay away from storing data in blobs for db performance reasons.

 

I’ve searched about everything I can think of, but can’t seem to hit on standard approaches for this kind of issue.  Can anyone point me in the right direction on how to go about this or where I might learn more on it?

 

Thanks

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.