65bit Posted April 6, 2009 Share Posted April 6, 2009 I'm new to PHP & MySQL (which we have running on IIS6) and am looking for some ideas / concepts on how I might go about controlling user and account based access to PDF files. Our current directory structure has a folder for each account number, with many individual PDF files (one per user) under each account. I need to be able to (1) limit a “regular user” who has authenticated against the MySQL db to only viewing their PDF file and (2) limit access to an “account manager” user to only viewing that account’s PDF’s. I’d like to not have to use any of Window’s security, instead relying on MySQL. Among other things, the user table record currently contains a user id, their PDF file name and the account number they belong to. An account manager table contains the account number and the manager’s id. In playing around, I can login as a user, grab the name of their PDF file from the user table and present it in the browser. Unfortunately, the current PDF naming convention is just a static set of characters followed by an incrementing number. If I simply ratchet the number up or down, I’m looking at someone else’s PDF. I’ve considered naming each physical PDF file and its reference name in the table to some random 30 – 40 characters. The chances of anyone guessing another valid link should be extremely small (but not 0). There’s part of me though that thinks all that does is make it hard to guess and not really secure. Maybe I should be thinking ‘hard to guess’ = secure? I’ve also considered storing the PDF file as binary data in a blob and presenting it from there. Then the actual PDF files wouldn’t even exist on the web server. Each user would only get theirs and I can see a path to allow the account manager to see of their PDF’s as appropriate. But, much most of what I read seems to say to stay away from storing data in blobs for db performance reasons. I’ve searched about everything I can think of, but can’t seem to hit on standard approaches for this kind of issue. Can anyone point me in the right direction on how to go about this or where I might learn more on it? Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.