Jump to content

Archived

This topic is now archived and is closed to further replies.

imaprogramur

A new challenge

Recommended Posts

I am trying to write a new PHP-based system that will store and display individual PDF files for my users.

I have an application that generates user-specific PDF files about twice a month. Each PDF file contains sensitive information that cannot be shared with other users, and should only be accessible to who ever is logged in.

My first idea was to somehow create a system of folders and use htaccess files to protect each indivdual directory, but the setup may be an enormous undertaking (over 1000 users) if I am unable to script the setup.

My next idea was to setup a database, and store the PDF's as binary within the database. I can then use a secure session to allow access to only that user's PDF files. I have never attempted something like this before and don't know if this would be very efficient when accessing the files via the DB.

Does anyone have any other ideas or some psuedo-code or know of an open source app that does this already????

Thanks!!!



Share this post


Link to post
Share on other sites
How many files per user will there be???
Have you created anything yet and if so what do you have so far??

Ray

Share this post


Link to post
Share on other sites
use the information stored in your database to create thepdf's on the fly. That way you don't store the actual pdf anywhere and can use the users details to grab the correct info from teh db to create it.

I know it means creating it over and overe agian but thta may not be such a big issue. You could also cache the pdf on teh client machine......

Share this post


Link to post
Share on other sites
[!--quoteo(post=360474:date=Mar 31 2006, 04:45 PM:name=craygo)--][div class=\'quotetop\']QUOTE(craygo @ Mar 31 2006, 04:45 PM) [snapback]360474[/snapback][/div][div class=\'quotemain\'][!--quotec--]
How many files per user will there be???
Have you created anything yet and if so what do you have so far??

Ray
[/quote]


There will somewhere between 20 and 30 PDF's fo revery user for every year, fomr the time that the system goes live...

At this point, I only have a basic login script that uses session cookies. I am looking more for the conceptual setup using PHP, than for specific code examples.

Thanks

Share this post


Link to post
Share on other sites
an option would be to store the files at a dir where only the server can reach through absolute paths (ie same level as your HTML dir). Then store the filename in the database, along with the userID.

if your login script is very secure, your PDF files are very secure.

Share this post


Link to post
Share on other sites
Now for your question, here's my concept. I say go with the MySQL database and store the PDF files in the database when you call them have a page that sends the PDF content type header and the actual content of the PDF rather than generating the PDF from some source everytime the user tries to access it. You said you already have a code that generates PDFs a couple times a month so just change it to store the generated code in the database instead of writing files. I have to ask though, why are you specifically using PDF files? That last bit is just for my own personal curiosity. If I understand your goal better I may be able to provide more focused ideas and possibly some tips and tricks.

Share this post


Link to post
Share on other sites
[!--quoteo(post=361120:date=Apr 3 2006, 02:28 AM:name=txmedic03)--][div class=\'quotetop\']QUOTE(txmedic03 @ Apr 3 2006, 02:28 AM) [snapback]361120[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Now for your question, here's my concept. I say go with the MySQL database and store the PDF files in the database when you call them have a page that sends the PDF content type header and the actual content of the PDF rather than generating the PDF from some source everytime the user tries to access it. You said you already have a code that generates PDFs a couple times a month so just change it to store the generated code in the database instead of writing files. I have to ask though, why are you specifically using PDF files? That last bit is just for my own personal curiosity. If I understand your goal better I may be able to provide more focused ideas and possibly some tips and tricks.
[/quote]


Well, we are printing pay stubs and would like to stop printing the pay stubs. Instead, I would like to have a PDF version of the same old pay stub (with the program we use, we just redirect the output from a printer to a PDF). So, I'd like to use PDF's because then the user can view, print, download, and we never have to store any of the sensistive information on the server in a database. Instead, it is just stored in static PDF files that hopefully is a little more secure.

Thanks for the ideas so far!

Share this post


Link to post
Share on other sites
Here is one way you can do it.

All users would get there own folder. This can easily be done with a script at time of sign up. Each pdf file that get generated will be put in there folder. Then have there username and password stored in the session and have it match their folder to be able to look at it's contents.

Another way, which would be easier for the person creating all these PDF files. make sure the user has the SAME login name as each file that has been created. Using some hashing with php you could match up the persons username with the files and show just those files that are in the directory. you could also assign a unique name for each person and have that name be he one that links.

I am throwing alot of things out there at ya, but there are quite a few ways to do it. make sure you use sessions or cookies to store up the information so that someone cannot throw someone elses name in the address bar and get their information.

Ray

Share this post


Link to post
Share on other sites
I put this together quick. It has 2 pages. login.php and userfiles.php. Also passwords are stored as md5 hash, you can remove the md5 if you want.

login.php
[code]<?
session_start();
// Connect to DB here


if(isset($_POST['username'])){
$username = $_POST['username'];
$password = md5($_POST['password']);
$getuser = "SELECT * from users WHERE username = '$username' AND password = '$password'";
  $result = mysql_query($getuser) or die (mysql_error());
    $r = mysql_fetch_array($result);
    $qualify = mysql_num_rows($result);
if($qualify > 0){
$_SESSION['username'] = $_POST['username'];
?>
<head>
<title>Login</title>
<META HTTP-EQUIV="Refresh" content="4;url=http://site.com/path/to/userfiles.php">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<br>
<p align=center>Thank you <?=$r['username']?>, you will now be redirected to your server page.</p>
</body>
</html>
<?
} else {
print '<p align=center>Bad username/password<br>Click <a href="http://site.com/path/to/login.php">here</a> to return to login page.';
}
} else {
?>
<form method=POST action="<? $_SERVER['PHP_SELF']?>">
<table border=1 cellpadding=3 celspacing=3 align=center width=50%>
<tr><td colspan=2 align=center>Login</td></tr>
<input type=hidden name=action value=login>
<tr><td>Username:</td><td><input type=text name=username size="20"></td><tr>
<tr><td>Password:</td><td><input type=password name=password size="20"></td><tr>
<tr><td colspan=2 align=center><input type=submit name=submit value=Login></td><tr>
</table>
</form>
</body>
</html>
<?
}
?>[/code]

userfiles.php
[code]<?php
session_start();
$user = $_SESSION['username'];

if ($handle = opendir('/full/path/to/pdffiles')) {
   /* This is the correct way to loop over the directory. */
   while (false !== ($file = readdir($handle))) {
       if (eregi("$user", $file)){
            print '<a href="path/to/files/'.$file.'">'.$file.'<a><br />';
              }
          }
   closedir($handle);
}
?>[/code]

The files name of the pdf has to have the username somewhere in it. And should be exactly the same. if someone has a username of johnw and anothe has a username of johnwe, then johnw will be able to see all of johnwe's files.

There are ways to fix this also, but I figure post the easy one first and see what happens.

There are ways to get by this. Obvoiusly the link shows where the files are located, so a savy user may be able to figure out where other users files are called if they know the username and get to them. I put this out to show a way and then you can build upon it. You could also put it into a form and point to a page that includes the pdf so as to mask it's where abouts.

Ray

Share this post


Link to post
Share on other sites
Okay, no the PDF is not any more secure than a database. You can simply store the pay stubs in a MySQL database and use a secure login system. There's a post on here where I went through the development of a mysql based login system. If you want more information on this, let me know.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.