Jump to content

Recommended Posts

Securing my upload folder “upl”


The upl folder is used to store anything that is uploaded by the user for their needs that is not a part of the back end, as such all content in this folder is subject to being locked down and and supplied after checking credentials.


The upl folder has an .htaccess file that locks down all remote access.

order deny,allow
deny from all


When something is needed from this directory we jump that wall with the help of apache after credentials are verified.


I think this is straight forward so far.


For images something like;

<img src=”downloader.php?app=1&id=20&type=thumb”>


For files something like;

<a href=”downloader.php?app=1&id=20&type=file&fileid=1212”>


After we check creds, we use similar to below to get data from that locked down folder.


$size = filesize($file);
header ( 'Content-Description: File Transfer' );
header("Content-Type: application/force-download");
header ( 'Content-Type: application/octet-stream' );
header ( "Content-Disposition: attachment; filename=\"".basename($file)."\"");
header ( 'Expires: 0' );
header ( 'Cache-Control: must-revalidate' );
header ( 'Pragma: public' );
header ( 'Content-Length: ' . filesize ( $file ) );
readfile ( $file );


seems to work pretty swimmingly for the most part.

My problem is (or at lease a mild nuisance) is that it seems that these images loaded in this manner are not subject to the cache system of a browser? It looks like they reload every time a page is visited.

Is there a way around this?


Share this post

Link to post
Share on other sites

Well, your script explicitly disables caching so the solution would be to, you know, not.

I imagine that once a file is uploaded it won't change. Maybe deleted or hidden, but not changed. Right? Set your Expires header to a date in the future, and fix Cache-Control to allow caching. And remove Pragma, it doesn't matter anymore.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.