Please help me make FTP site secure!

[Edward]

 

I'm making an FTP site for users. I know that for security reasons I need to place my files outside of the web directory, but I can't seem to access SOME of them?! For the website to work, my supplier says to place the site docs inside the 'public_html' folder, which I've done. I can include a php page in the root folder by using the following code, but I can't display images with the code below. PLEASE can someone shead some light on this, its really urgent and I don't see (or particularly want) an alternative. Thank you very much.

 

This works:

<?php include('../test/test.php'); ?>

 

This doesn't work:

<a href="../test.jpg"><img src="../test.jpg" width="400" height="300" alt="Test" border="0" /></a>

[clown[NOR]]

you tried

../test/test.jpg

 

just a shot in the dark

[MadTechie]

LOL exacly what i was going to say

[clown[NOR]]

hehe... =) it's worth a try tho

[Edward]

 

Sorry, that was a typo on my part. Thanks but it isn't that simple unfortunately. Here's the actual code:

 

<a href="../test.jpg"><img src="../test.jpg" width="400" height="300" alt="Test" border="0" /></a><br />
<?php include('../test.php'); ?>

 

The image doesn't display but the php does  ???

[clown[NOR]]

how about using direct link to the image? just an idea

[Edward]

 

Do you mean doing this:

 

<a href="test.jpg"><img src="test.jpg" width="400" height="300" alt="Test" border="0" /></a><br />
<?php include('test.php'); ?>

 

I can't do that for security reasons.

[MadTechie]

If the image isn't in the public_html then i don't think a html page can read it.. have you tried a php page that loads the image up

 

something like

 

imageloader.php?IMG=thesun.png

<?php
function LoadPNG($imgname)
{
    $im = @imagecreatefrompng($imgname); /* Attempt to open */
    if (!$im) { /* See if it failed */
        $im  = imagecreatetruecolor(150, 30); /* Create a blank image */
        $bgc = imagecolorallocate($im, 255, 255, 255);
        $tc  = imagecolorallocate($im, 0, 0, 0);
        imagefilledrectangle($im, 0, 0, 150, 30, $bgc);
        /* Output an errmsg */
        imagestring($im, 1, 5, 5, "Error loading $imgname", $tc);
    }
    return $im;
}
header("Content-Type: image/png");
$img = LoadPNG("../".$_GET['IMG']);
imagepng($img);
?> 

 

 

or for JPEG  use

imageloader.php?IMG=thesun.jpg

<?php
function LoadJpeg($imgname)
{
    $im = @imagecreatefromjpeg($imgname); /* Attempt to open */
    if (!$im) { /* See if it failed */
        $im  = imagecreatetruecolor(150, 30); /* Create a black image */
        $bgc = imagecolorallocate($im, 255, 255, 255);
        $tc  = imagecolorallocate($im, 0, 0, 0);
        imagefilledrectangle($im, 0, 0, 150, 30, $bgc);
        /* Output an errmsg */
        imagestring($im, 1, 5, 5, "Error loading $imgname", $tc);
    }
    return $im;
}

header("Content-Type: image/jpeg");
$img = LoadJpeg("../".$_GET['IMG']);
imagejpeg($img);
?>

[Edward]

 

I think you might be right, I don't think the webserver will be able to read it. I'd seen this method recommended in books, but I guess that must just be for local-run sites. My problem is, that I've put the work in making a secure FTP site with login etc, however if anybody tries to access a file directly, they can! So if Mr Random goes to www.mysite.com, he won't be able to log in, however if he goes to mysite.com/files/private.txt, he will be able to view/download it. I know that he would first have to know the name of the file, but it still leaves it open to possibility (and there may be ways of him finding out?...). Is there any way around this? I only want the files to be accessible when they log in and click my link to the file.

[MadTechie]

the way i did this was by moving the files to a hidden area..

for example /public_html/test/uploaded/hidden/thefile.txt

 

of course the members need to access this so instead of suppling a link to it i use a php script to read the file in and then force a download (or display to page) see the snip section on force download your get the idea

 

<?php
//can be pulled from database
$file = '/public_html/test/uploaded/hidden/thefile.txt';

// or even (need to add a security cleanup to this \/
$file = '/public_html/test/uploaded/hidden/'.$_GET['file'];

header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 

header("Content-Type: application/force-download");
header( "Content-Disposition: attachment; filename=".basename($file));

header( "Content-Description: File Transfer");
@readfile($file);

?>

 

 

JUST TO POINT OUT THAT WAS FROM A SNIP FROM THE FAQ/Code Snippet Repository section

 

http://www.phpfreaks.com/forums/index.php/topic,95433.0.html