Jump to content

How to sucure a folder, but still accessable.

Mancent

By Mancent
in PHP Coding Help

 Share
Go to solution Solved by Psycho,

Recommended Posts

Mancent Member

Mancent

Posted
Posted (edited)

I am not even sure if this can be done or not, nor do I know If I am asking in the right place. but here it goes.
 

I have this folder located here

http://192.168.0.2/account/1/

 


and to get in this folder account/1/  
I want to add a file called getfile.php
With some conditions to meet before it gets the file.

for a example if I have a file called picture.jpg
I do not want to be able to go to the web address and get the file directly.
In this case it would be


What I am wanting to do is to lock the folders and only be able to get the files if they go to a url like this


get file will call for the folder of the account in this case 1


or path can be large in this case

and also I will add other conditions that will be requested like access token so you just can not get into any one folders with out having the correct access.

so when it is all said and done it would be something like this.


and if all is well the file displays, but if not then nothing error message.
but also even though the file is located at 

they can not go directly to that link to get the file with out going through the getfile.php
so the getfile.php would send maybe some type of $_POST method that would unlock the folder maybe using .htaccss

any one have any ideas how I can lock a folder, and then use php to access it.  

Edited by Mancent
Link to comment
Share on other sites
Mancent Member

Mancent

Posted
  • Author
Posted 

<?PHP
if(isset($_GET["uid"]))
{
$uid = $_GET["uid"];
}
else
{
	return;
}
if(isset($_GET["path"]))
{
$path = $_GET["path"];
}
else
{
	return;
}
if(isset($_GET["getfile"]))
{
$getfile = $_GET["getfile"];
}
else
{
	return;
}
if(isset($_GET["thumb"]))
{
	$thumb = $_GET["thumb"];
	$mypath = '../../protected/accounts/'.$uid.'/'.$path.'/'.$thumb.'/'.$getfile.'';
	
	
}
else
{
	
	$mypath = '../../protected/accounts/'.$uid.'/'.$path.'/'.$getfile.'';
    
	
	
}


$line =   '<img src="../../protected/accounts/'.$uid.'/'.$path.'/'.$getfile.'"/>';
echo $line;


?>

So I was thinking about if I could do this also.

 

I started to write the getfile.php

 

and my thinking was to put the folder behind the web root.

 

so say I have my web root here

www/index.php

 

and you can read and view all the files in the www root, but you can not view the folder behind it

like

dir listing

www/

protected/

 

I wanted to put the files in the back so they are not access able using http://localhost/protected

but I wanted the getfile.php to read the protected folder where they files are on the server, but not have a link using URL

 

but that's not working yet. any ideas? how I can read files that are not in the web root directory

 

 

Link to comment
Share on other sites
  • Solution
Psycho Prolific Member

Psycho

Posted
  • Solution
Posted

There is actually an easy solution. The first step is to put these files outside of the web directory. For example, if the root of your site is at C:\webroot\mysite\, then put your files in a folder such as C:\webroot\files\. Now, that folder and the files in it cannot be accessed from the web browser directly through a URL. You can then create a page that will serve the files to the user. You can create that page to use whatever parameters you pass to do whatever you need.

 

Once you verify that the user is authorized you will 'send' them the file

 

 

//Insert code to determine the file to use and whether the user should access it
// . . .
// . . .
//$file - variable assigned value of path to file
// . . .

header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header('Content-Length: ' . filesize($file));
readfile($file);
Link to comment
Share on other sites
Mancent Member

Mancent

Posted
  • Author
Posted (edited)

ya that's good.. so this is working well the readfile was what I was missing.

this is good so you can use, external drives to store files off site then just code it to connect. that is good.

and this is working nicely

http://somedomain.com/getfile.php?uid=1&path=images&getfile=nameoffile.jpg&private=false&accesstoken=dsjfbhsdfonebibds8ds89fy9dasfgnsd987fgn9y8ds9
Edited by Mancent
Link to comment
Share on other sites
Mancent Member

Mancent

Posted
  • Author
Posted (edited) 



<?PHP

require_once "core/connect.php";

$root_path = '../protected/accounts/';

if(isset($_GET["uid"]))

{



if(empty($_GET["uid"]))

{

//RETURN TO HEADER 

return;

}

else

{

//DO A SELECT MYSQL TO CHECK IF USER ID IS REAL

$uid = $_GET["uid"];

}

}

else

{

//RETURN TO HEADER 

return;

}

if(isset($_GET["mid"]))

{



if(empty($_GET["mid"]))

{

//RETURN TO HEADER 

return;

}

else

{

//DO A SELECT MYSQL TO CHECK IF USER ID IS REAL

$mid = $_GET["mid"];

//DO A CHECK TO MAKE SURE MID IS WHAT THE SESSION ID === ELSE RETURN TO HEADER

if($mid == $_SESSION[mid])

{


}

else

{

//RETURN TO HEADER

}

}

}

else

{

//RETURN TO HEADER 

return;

}

if(isset($_GET["at"]))

{



if(empty($_GET["at"]))

{

//RETURN TO HEADER 

return;

}

else

{

//DO A SELECT MYSQL TO CHECK IF USER ACCESS_TOKEN IS REAL FOR MID

$at = $_GET["at"];

}

}

else

{

//RETURN TO HEADER 

return;

}

if(isset($_GET["security"]))

{



if(empty($_GET["security"]))

{

//RETURN TO HEADER 

return;

}

else

{

//DO A SELECT MYSQL TO CHECK IF USER SECURITY IS SET TO PUBLIC FOR UID

$security = $_GET["security"];

}

}

else

{

//RETURN TO HEADER 

return;

}

if(isset($_GET["f_stat"]))

{



if(empty($_GET["f_stat"]))

{

//RETURN TO HEADER 

return;

}

else

{

//DO A SELECT MYSQL TO CHECK IF USER UID IS FRIENDS WITH MID

$f_stat = $_GET["f_stat"];

}

}

else

{

//RETURN TO HEADER 

return;

}

if(isset($_GET["path"]))

{

if(empty($_GET["path"]))

{

//RETURN TO HEADER 

return;

}

else

{

//DO A SELECT MYSQL TO CHECK PATH FOR USER ID

$path = $_GET["path"];

}

}

else

{

//RETURN TO HEADER 

return;

}

if(isset($_GET["getfile"]))




if(empty($_GET["getfile"]))

{

//RETURN TO HEADER 

return;

}

else

{

//DO A SELECT MYSQL TO CHECK FILENAME FOR USER ID

$getfile = $_GET["getfile"];

}

}

else

{

//RETURN TO HEADER 

return;

}

if(isset($_GET["thumb"]))

{

if(empty($_GET["thumb"]))

{

//RETURN TO HEADER 

return;

}

else

{



$thumb = $_GET["thumb"];

$mypath = $root_path.'/'.$uid.'/'.$path.'/'.$thumb.'/'.$getfile.'';

if (file_exists($mypath))

{

readfile($mypath);

}

else

{

//RETURN TO HEADER 

}

}



}

else

{



$mypath = $root_path.'/'.$uid.'/'.$path.'/'.$getfile.'';

    

if (file_exists($mypath))

{

readfile($mypath);

}

else

{

//RETURN TO HEADER 

}



}















?>

 

Edited by Mancent
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.