Jump to content

Need help with security measure


paradoxmime

Recommended Posts

I have a page that renders a pdf to screen using a java applet and I want to protect the pdf content. That is, if you view source it displays the full path to the file and you can gain direct access to the file. Here is where I don't know how to approach this, I am currently protecting the contents of the directory using a cgi script. Therefore if you try to access the page you will be prompted to login. That is fine to an extent. The person with rights to view the image does not have the right to download the image.

 

So I was thinking that by using session variables I could either one, create an .htaccess with password authentication, and I could use the php to call up a page such as authenticate.php with a script that would supply the password somehow and then display thru the applet.

 

Or generate a random token for that session. The token would then be stored temporarily in mysql db and would be linked to the actual file location already in the db. This way viewing source would show the token not the file location. Any ideas? Please be specific

Link to comment
https://forums.phpfreaks.com/topic/168740-need-help-with-security-measure/
Share on other sites

<?PHP
/* 
	auth user
	$_GET['username'] && $_GET['password']
*/

$FileName = $_GET['filename'];

$ActualFileLocation = '';
if ($FileName == 'filea.pdf')
	$ActualFileLocation = '/home/uploaddir/filea.pdf';
	$ActualFileName = 'filea.pdf';
}
//or find file in database with physical file location

$fileContents = file_get_contents($ActualFileLocation, FILE_BINARY);
$fileSize = filesize($ActualFileLocation);

header("File-Name: ".$ActualFileName);
header("Accept-Ranges: bytes");
header("Content-Length: ".$fileSize);
header("Content-Type: application/x-msdos-program");
//add necessary header fields for different file types, e.g. pdf header will look different to an ms-dos based exe

echo $fileContents;
?>

 

you might want to try this concept, you are basically in control of the file's location and the file don't have to be accessible directly from the website, it can only be retrieved via this script.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.