Security --------

[meltingpoint]

I have pdf files that are sensitive for my customer.  In the folder that contains the pdf files I have an index file that re-directs to the login page.  I just want to make sure that no one can put some code in the login form or into the url that would show the contents of that directory folder where these files are kept.

 

Any tips suggestions?

 

Andy

[ngreenwood6]

you can try going to the url of the pdf. so if you have your pdfs like this pdf/somepdf.pdf go to http://yoururl.com/pdf/somepdf.pdf and i bet you can view it.

[meltingpoint]

Yes- that can be currently done.  I suppose that for viewing of sensitive files I should password protect the directory with .htaccess and provide a standard "PDF FILE" username and password to view it that only members would be privy to.

[mikesta707]

or you could just put it above the root directory and access it from there

[ngreenwood6]

yeah i would do like mike said and put it above the root directory so that there is no direct access to the file. Also a good idea would be to not actually show the file in the url for example instead of having: http://www.yoururl.com/pdf/somepdf.pdf you would have a url like http://www.yoururl.com/pdf?id=23&somerandom=2234325 obviously that is just an example but you get the picture.

[meltingpoint]

But how would I access the file (outside the public_html) and allow the user to open it?  A regular link would not work.

[oni-kun]

But how would I access the file (outside the public_html) and allow the user to open it?  A regular link would not work.

 

Use something like 'getfile.php?file=this.pdf'

<?php
if (isset($_GET['file'])) {
   $file = $_GET['file'];
    echo '/home/yourname/pdfs/'.$file
}?>

 

I'm not sure if that'd work off the bat but you can use include()'s on sub-root directories.

 

[meltingpoint]

Sorry so late to reply-  that sounds good.  I'll give it a try.

 

Cheers to all.

 

melting point

[teamatomic]

Try this in .htaccess :

 

<Files .pdf>

order allow,deny

deny from all

</Files>

 

Now try a direct url - http://domain.com/pdf/file.pdf

you should be denied the file

Now try to see if you can include one into a page, you should be able to.

If you have some pdf's you want available by direct link and others you dont then remember that htaccess is recurssive. Split the pds into two folders and the one you want to restrict gets the htaccess file with the <files> allow/deny

 

 

HTH

Teamatomic

[gevensen]

dont forget set your htaccess so you dont show the contents of the directory arbitrarily

and set your robots text to disallow that directory or your sensitive files may show up on google!

theres also a great little program called Bot Trap ( google it ) which stops web bots that ignore robots.txt

 

as far as hacking code look at mysql_real_esapce_string and htmlspecialchars php commands

i dont think the code going in is a problem so much but the code coming out executes and htmlspecialchars ruins that party

 

i also encrypt directory names and filenames to make it very confusing and a use a safelist table of original pages to compare where the call is coming from

if its not on the safelist it gets bounced