Help with some logging in db and ldap

[Jalz]

Hi all,

 

Not sure this is the appropriate place to post, but need some help with (more with process than code at this point) an issue I have. Ive created a members database, and they can search etc on the site. The members table contains a username and a hashed password with salt. They login to the website and authenticate against the username and password stored in my database. I want them to upload images, so on my test system I created a folder called images which I set write access to annonymous and proceded to code so they had this functionality.

 

When I thought about deploying it to our live servers, of course the images could not be uploaded as the folder didn't have write tpermissions. Spoke to my IT chaps and rightly they said we wont allow annonymous access to the images folder, however you can have an AD account which we can allow writing to this folder.

 

So what I have done is create an AD group with one member, the logic I am thinking of is the following:

 

User enters in credentials

If they authenticate against the details in my db

bind to the AD account //the one member that does have writing to the folder enabled

    close connection

else

Take them back to the login screen

end

 

will that be enough to allow them to write to the folder or do I need to do other things? Am I going about the right way of doing this any advice would be very much appreciated.I presume once I bind it opens up a session or something that tells the folder that I can write to it????

 

Best

 

Jalz

[FD_F]

to add AD user will not help because

when you will upload file apache\IIS user will be write the file

 

so you will haft to give apache/IIS  user  write permittions

 

you can tell your IT manager you will secure the file by checking the file type from the code

[Jalz]

Hi FD_F

 

Thankyou for the reply.

Its IIS we are using as we're on Windows server.Are you saying that if I check within my php code to allow jpg,gif or png files for upload that should be sufficient?

 

Is there anyway I can tell IIS that thats the only files should be residing in the folder.

 

Thanks

 

Jalz

[FD_F]

yes check from php  if the upload is jpg,gif also don't save in same file name uploaded give the files  random name before saving

 

if its IIS you can prevent execute script in the image folder

give your IT this link :

http://www.aspplayground.net/forum/tm.aspx?m=376885&mpage=1#376885

[Jalz]

Thank you once again,

 

I can hash the filename to make it more secure. This would mean someone would have to guess the names perfectly to download Just one more question I hope. I have two IIS accounts IIS_WPG and Internet Guest Account. Which one do you think IIS will use to write in the folder.

 

Thanks again

[FD_F]

the hashing is good idea

 

i cant know which user will write the file

 

but you can open windows process list and see what the user name running IIS

 

[Jalz]

Thank you. I'll go have a word with the manager.

 

Jalz

[Jalz]

Hi all,

 

had a word with the manager, and he has no problem giving the IIS_USR write access to folder in question ( providing I hash the filename and only allow certain file extenstions. He'll remove the script executables option in IIS). However he was then saying how can we prevent an annonymous browser accessing the data by typing in the full path of the folder? If they have access to the folder/path, is it possible they can upload items there?

 

Sorry to be a complete noob, just trying to get the right balance of security to a solution I have created.

 

Jalz