CodeRed-Alpha Posted June 2, 2023 Share Posted June 2, 2023 I am trying to encrypt just the directory part of the path in a URL. We have users downloading and viewing documents (pdf, doc, jpg, etc..) The filename does not ned to be encrypted but it can be. Essentially I want to it to look like this. https://mydomain.com/documents/123.pdf Should show as https://mydomain.com/Adslk$ksd)dsajka^sSPd/123.pdf The purpose: To ensure that a user cannot browse directly to the folder just by removing the filename. We do not use any GET variables in our URLs for security reasons. Is there a way this can be done without decrypting it so the user can see it? There are tons and tons of article about encrypting the GET variables and URL parameters but I don't really see anybody doing just the file path without the file name being decrypted. We already disallow any user not logged in or with valid permissions to view the page or access the directory. But we do not even want the users to be able to know what directory this stuff is even stored in. Any suggestions? Thank you. Quote Link to comment Share on other sites More sharing options...
Solution requinix Posted June 2, 2023 Solution Share Posted June 2, 2023 You can't encrypt the location because the end result is that you're still giving someone a URL to the file. Having gibberish instead of the word "documents" doesn't change that. The actual answer here is pretty simple: don't give direct links to your PDFs. Use a PHP script which authenticates the user and then outputs the file. You can use URL rewriting to transform /documents/whatever.pdf to something like /document.php?filename=whatever.pdf (which means existing URLs still work), then do something like <?php session_start(); if (!isset($_SESSION["userid"])) { // or whatever so you know if the user isn't logged in http_response_code(403); exit; } if (!isset($_GET["filename"])) { http_response_code(400); exit; } $filename = $_GET["filename"]; if (!preg_match('/^[a-z0-9_.-]+$/i', $filename)) { // potentially other characters in there http_response_code(404); exit; } $path = $_SERVER["DOCUMENT_ROOT"] . "/documents/" . $filename; // or whatever the path should be if (!is_file($path)) { http_response_code(404); exit; } $extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION)); $mime = [ // default $extension => "application/octet-stream", // list of file types you might have "pdf" => "application/pdf", // ... ][$extension]; header("Content-Type: $mime"); header("Content-Length: " . filesize($path)); header("Content-Disposition: inline;filename=$filename"); readfile($path); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.