Jump to content

Recommended Posts

I have pdf files that are sensitive for my customer.  In the folder that contains the pdf files I have an index file that re-directs to the login page.  I just want to make sure that no one can put some code in the login form or into the url that would show the contents of that directory folder where these files are kept.

 

Any tips suggestions?

 

Andy

Link to comment
https://forums.phpfreaks.com/topic/185551-security/
Share on other sites

yeah i would do like mike said and put it above the root directory so that there is no direct access to the file. Also a good idea would be to not actually show the file in the url for example instead of having: http://www.yoururl.com/pdf/somepdf.pdf you would have a url like http://www.yoururl.com/pdf?id=23&somerandom=2234325 obviously that is just an example but you get the picture.

Link to comment
https://forums.phpfreaks.com/topic/185551-security/#findComment-979636
Share on other sites

But how would I access the file (outside the public_html) and allow the user to open it?  A regular link would not work.

 

Use something like 'getfile.php?file=this.pdf'

<?php
if (isset($_GET['file'])) {
   $file = $_GET['file'];
    echo '/home/yourname/pdfs/'.$file
}?>

 

I'm not sure if that'd work off the bat but you can use include()'s on sub-root directories.

 

Link to comment
https://forums.phpfreaks.com/topic/185551-security/#findComment-979671
Share on other sites

Try this in .htaccess :

 

<Files .pdf>

order allow,deny

deny from all

</Files>

 

Now try a direct url - http://domain.com/pdf/file.pdf

you should be denied the file

Now try to see if you can include one into a page, you should be able to.

If you have some pdf's you want available by direct link and others you dont then remember that htaccess is recurssive. Split the pds into two folders and the one you want to restrict gets the htaccess file with the <files> allow/deny

 

 

HTH

Teamatomic

Link to comment
https://forums.phpfreaks.com/topic/185551-security/#findComment-980828
Share on other sites

dont forget set your htaccess so you dont show the contents of the directory arbitrarily

and set your robots text to disallow that directory or your sensitive files may show up on google!

theres also a great little program called Bot Trap ( google it ) which stops web bots that ignore robots.txt

 

as far as hacking code look at mysql_real_esapce_string and htmlspecialchars php commands

i dont think the code going in is a problem so much but the code coming out executes and htmlspecialchars ruins that party

 

i also encrypt directory names and filenames to make it very confusing and a use a safelist table of original pages to compare where the call is coming from

if its not on the safelist it gets bounced

Link to comment
https://forums.phpfreaks.com/topic/185551-security/#findComment-980906
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.