meltingpoint Posted December 18, 2009 Share Posted December 18, 2009 I have pdf files that are sensitive for my customer. In the folder that contains the pdf files I have an index file that re-directs to the login page. I just want to make sure that no one can put some code in the login form or into the url that would show the contents of that directory folder where these files are kept. Any tips suggestions? Andy Quote Link to comment https://forums.phpfreaks.com/topic/185551-security/ Share on other sites More sharing options...
ngreenwood6 Posted December 18, 2009 Share Posted December 18, 2009 you can try going to the url of the pdf. so if you have your pdfs like this pdf/somepdf.pdf go to http://yoururl.com/pdf/somepdf.pdf and i bet you can view it. Quote Link to comment https://forums.phpfreaks.com/topic/185551-security/#findComment-979618 Share on other sites More sharing options...
meltingpoint Posted December 18, 2009 Author Share Posted December 18, 2009 Yes- that can be currently done. I suppose that for viewing of sensitive files I should password protect the directory with .htaccess and provide a standard "PDF FILE" username and password to view it that only members would be privy to. Quote Link to comment https://forums.phpfreaks.com/topic/185551-security/#findComment-979625 Share on other sites More sharing options...
mikesta707 Posted December 18, 2009 Share Posted December 18, 2009 or you could just put it above the root directory and access it from there Quote Link to comment https://forums.phpfreaks.com/topic/185551-security/#findComment-979629 Share on other sites More sharing options...
ngreenwood6 Posted December 18, 2009 Share Posted December 18, 2009 yeah i would do like mike said and put it above the root directory so that there is no direct access to the file. Also a good idea would be to not actually show the file in the url for example instead of having: http://www.yoururl.com/pdf/somepdf.pdf you would have a url like http://www.yoururl.com/pdf?id=23&somerandom=2234325 obviously that is just an example but you get the picture. Quote Link to comment https://forums.phpfreaks.com/topic/185551-security/#findComment-979636 Share on other sites More sharing options...
meltingpoint Posted December 18, 2009 Author Share Posted December 18, 2009 But how would I access the file (outside the public_html) and allow the user to open it? A regular link would not work. Quote Link to comment https://forums.phpfreaks.com/topic/185551-security/#findComment-979639 Share on other sites More sharing options...
oni-kun Posted December 18, 2009 Share Posted December 18, 2009 But how would I access the file (outside the public_html) and allow the user to open it? A regular link would not work. Use something like 'getfile.php?file=this.pdf' <?php if (isset($_GET['file'])) { $file = $_GET['file']; echo '/home/yourname/pdfs/'.$file }?> I'm not sure if that'd work off the bat but you can use include()'s on sub-root directories. Quote Link to comment https://forums.phpfreaks.com/topic/185551-security/#findComment-979671 Share on other sites More sharing options...
meltingpoint Posted December 20, 2009 Author Share Posted December 20, 2009 Sorry so late to reply- that sounds good. I'll give it a try. Cheers to all. melting point Quote Link to comment https://forums.phpfreaks.com/topic/185551-security/#findComment-980729 Share on other sites More sharing options...
teamatomic Posted December 20, 2009 Share Posted December 20, 2009 Try this in .htaccess : <Files .pdf> order allow,deny deny from all </Files> Now try a direct url - http://domain.com/pdf/file.pdf you should be denied the file Now try to see if you can include one into a page, you should be able to. If you have some pdf's you want available by direct link and others you dont then remember that htaccess is recurssive. Split the pds into two folders and the one you want to restrict gets the htaccess file with the <files> allow/deny HTH Teamatomic Quote Link to comment https://forums.phpfreaks.com/topic/185551-security/#findComment-980828 Share on other sites More sharing options...
gevensen Posted December 20, 2009 Share Posted December 20, 2009 dont forget set your htaccess so you dont show the contents of the directory arbitrarily and set your robots text to disallow that directory or your sensitive files may show up on google! theres also a great little program called Bot Trap ( google it ) which stops web bots that ignore robots.txt as far as hacking code look at mysql_real_esapce_string and htmlspecialchars php commands i dont think the code going in is a problem so much but the code coming out executes and htmlspecialchars ruins that party i also encrypt directory names and filenames to make it very confusing and a use a safelist table of original pages to compare where the call is coming from if its not on the safelist it gets bounced Quote Link to comment https://forums.phpfreaks.com/topic/185551-security/#findComment-980906 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.