Jump to content


Photo

Protecting directory/files


  • Please log in to reply
16 replies to this topic

#1 Javrixx

Javrixx
  • Members
  • PipPip
  • Member
  • 13 posts

Posted 13 September 2006 - 05:47 PM

*** UPDATE ON MY LAST POST, PLEASE READ THAT AFTER READING THIS FIRST POST, THANK YOU ***


Hi, I'm really new to PHP.  Basically I'm setting up a few things for my work.  I'm adding a feature that lets clients login and view certain .xls files and what not.  It will be their results that our company provides for them...

So I've almost got the login part of it done, I don't think I'll have too hard of a time getting the rest setup, but now that I'm thinking about it, I think I have a problem.

Client A needs to access his .xls files.
Client B needs to do the same thing.

All the files are stored in, let's say, /clientfiles directory.


I need to make it so only Client A can access his files and no one else's files.

Maybe I can make it a bit clearer.  Client A logs in with the username and password I provide him (he can change his pass).  On the next page it says welcome so and so and you have X amount of results ready for download.  I was thinking I was just going to generate the link using php according to what the filename is in the mySQL database.  So anyway, he clicks the link that lists all the results .xls files to download...

Let's say they're all stored at http://www.mydomain....m/clientfiles.  So he has 3 files listed there:
http://www.mydomain....files/file1.xls
http://www.mydomain....files/file2.xls
http://www.mydomain....files/file3.xls

Now, what is to stop him, and anyone else to just going to http://www.mydomain.com/clientfiles/ and seeing all the files in that directory and being able to download them?  Is there a way I can fix this so only the logged in client can access only those files?  Or am I going to have to do something totally different as a solution?

Any help is much appreciated.  I really don't know too much about PHP, so far I've been using tutorials and using "trial and error" changing the code here and there to suit my needs.  I do know HTML like the back of my hand, so I do understand the basics and how PHP functions, I just don't know the commands, etc, for it yet.  Thanks again.

#2 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 13 September 2006 - 06:15 PM

why not make directorys with the users id from the database and any file you want that user to have copy to there directory.

then select that user were id='$id'"; and a link to his dir via his id.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#3 steelmanronald06

steelmanronald06
  • Staff Alumni
  • Advanced Member
  • 2,004 posts
  • LocationOk

Posted 13 September 2006 - 06:19 PM

or you can do an if statement in the files

if username is client A
  show it
else
  don't show it

yeah that is not actual code, just theory code.

#4 Javrixx

Javrixx
  • Members
  • PipPip
  • Member
  • 13 posts

Posted 13 September 2006 - 07:00 PM

Thanks for the responses guys.

Ok so I can do either one of those, but what if someone finds the users directory or finds the directory with all the users in it.

I just don't want someone to be able to find out the download path and download files, I need it to be secure so only those people can download the files.  Even if I only list it for one particular user, anyone who KNOWS what that user directory is could still download it.  For example:

http://www.mydomain....m1234/file1.xls

So say someone goes to http://www.mydomain.com/users

They can then see the directory, then it's just a matter of trial and error before they could possibly find the files.

I know the chances are unlikely, but we're talking about pretty secure information about people and I need it to be protected.

#5 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 13 September 2006 - 07:11 PM

stick a index.php in it with a redirect to the index page thats the easy way.

<?php
header("location: index.php");
?>

Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#6 ToonMariner

ToonMariner
  • Members
  • PipPipPip
  • Advanced Member
  • 3,342 posts
  • LocationNewcastle upon Tyne, UK

Posted 13 September 2006 - 07:17 PM

if someone gets the full url then they may still be able to see them! Without done the reading have a look at locking the directories and only opening them vis teh script - may be that chmod will be more than enough for your needs.

No expert on this but you would need a setting that denies public but allows owner of the dir to access - that way php should be able to chmod the directory.
follow me on twitter @PHPsycho

#7 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 13 September 2006 - 07:23 PM

ok then i got a better way make a random 8 number figure then add that to the members database table then provide that to make the directorys that better and easer.

the posabilty of a user finding that number for the directory will be near to inpossabilty.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#8 ToonMariner

ToonMariner
  • Members
  • PipPipPip
  • Advanced Member
  • 3,342 posts
  • LocationNewcastle upon Tyne, UK

Posted 13 September 2006 - 07:27 PM

easier???? Random 8 didgit number could be found in a couple minutes with a simple brute force attack!

seems a lot of hassel where as umask and chmod would do the trick - provided what I said was possible - which I am sure it is.
follow me on twitter @PHPsycho

#9 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 13 September 2006 - 07:36 PM

it is for linux redhat but not windows so how do us windows user get the same effect.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#10 Javrixx

Javrixx
  • Members
  • PipPip
  • Member
  • 13 posts

Posted 14 September 2006 - 12:23 AM

Ok I will try that.  I'm not really up to that stage yet, but I will be within the week.  Do you by chance know what script that is or where to get it?

#11 Atomg

Atomg
  • New Members
  • Pip
  • Newbie
  • 9 posts

Posted 15 September 2006 - 04:20 PM

if someone gets the full url then they may still be able to see them! Without done the reading have a look at locking the directories and only opening them vis teh script - may be that chmod will be more than enough for your needs.

No expert on this but you would need a setting that denies public but allows owner of the dir to access - that way php should be able to chmod the directory.

So, we could only let the admin (the admin of the website) to access some files? Like the user won't get the file directly, but it is a php function that will download the file for the user? The php function will only download the file if the user can (like verify the loggin etc.)

If I use my ftp client, I can change the file properties (chmod) like the following screnshot.
Posted Image
We can Execute because it is a folder, if it is a *.jpg (for exemple), we won't get the Execute command, but only Read.

Well I have questions about this:
  • What is Group?
  • Can we remove the Read for a file for the "World" and have a php function that will download the file?
  • If yes, what if that function?

Thanx for all the help.

#12 karthikeyan_coder

karthikeyan_coder
  • Members
  • PipPipPip
  • Advanced Member
  • 201 posts

Posted 15 September 2006 - 06:33 PM

    * u (user), which represents the permissions granted to the owner of the file,
    * g (group), which represents the users who are members of the file's group, and
    * o (others), which represents any users who are not the owner of the file or members of the group, or
    * a (all), which represents all three of the above.

Thank you,
TopLancers.com
www.karthi.us

#13 Atomg

Atomg
  • New Members
  • Pip
  • Newbie
  • 9 posts

Posted 17 September 2006 - 01:22 PM

Ok, thx.

Now can we adjust those chmod settings and make only Read/Write/Execute for users and put a php function that start the download?

#14 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 17 September 2006 - 01:27 PM

i was thinking if you protect a folder with images in and disable side click the user can not get the pic but if the user downloads the whole website i think they will get all images not sure?
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#15 Javrixx

Javrixx
  • Members
  • PipPip
  • Member
  • 13 posts

Posted 20 September 2006 - 04:45 PM

Ok so I'm almost to the point where I need to implement this.

I think I'm down to 2 options...

1) Use the users ID and make a random folder, stores the files in it... for example, say user123 logsin and wants to see their files.  On the database, they're userid is say... 555.  So I make a new folder in the userfiles folder, starting with the user ID and then some random stuff after that: 555fdjf78nab5jk6diap227yu46/file1afd87b93bfi3a.xls

So the path to download that would be http://www.mysite.co...d87b93bfi3a.xls

It will be easy for me to find, because the user ID is still the first part of the directory, as would be the file name that they need, but the rest is so random people would PROBABLY never find the full path for that file...  Am I right about this?


2) Someone had mentioned to me that I can store the files on the server, but not public.  When the user logins in, I would make a php script to create a random temporary folder and move the needed files for that user to the new temporary folder.  After the user logs out the temporary folder is deleted, thus the user's files are never really public, only for a short time when that user is logged in and needs the files.

Now, my big issue with this is, I lack the knowledge to set something up like this that is so complicated.  I haven't looked for any tutorials, but that it is pretty specific and don't know if I'll be able to find something.  I'm about 2 weeks away from having to really set this up so ANY feedback on this is highly appreciated.

#16 Javrixx

Javrixx
  • Members
  • PipPip
  • Member
  • 13 posts

Posted 22 September 2006 - 06:32 PM

*bump*

#17 Atomg

Atomg
  • New Members
  • Pip
  • Newbie
  • 9 posts

Posted 23 September 2006 - 02:32 PM

2) Someone had mentioned to me that I can store the files on the server, but not public.  When the user logins in, I would make a php script to create a random temporary folder and move the needed files for that user to the new temporary folder.  After the user logs out the temporary folder is deleted, thus the user's files are never really public, only for a short time when that user is logged in and needs the files.

I'm sure that this is a good solution, but you don't need to move the file. Their must be a way to download it...

I'll search.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users