I'm in the middle of developing a website with a downloads section.
It's a wad of educational software for an LEA which for obvious reasons
needs password protecting. Users have to authenticate before being
allowed to search and getting a link to the download.
Don't want the users to get at the files without logging in first, so I
created a script (filedownload.p hp) that adds the filename to the URL
query string (e.g., filedownload.ph p?file=file1.zi p)
filedownload.ph p then simply prepends the full name of where the files live:
header("Locatio n: http://www.xyz.com/fileslivehere/file1.zip");
I thought this would do the job so the user wouldn't get to see the full
URL on screen, but I've just realised it appears in the browser history
(At least in IE, haven't checked Mozilla or others.)
I don't have shell access to the web server so this must be PHP only, or
achievable with shell commands executed via PHP. I was thinking about
copying a 'master' file to a temporary random file name but most of the
files are 200-300 meg so I'd like to avoid this, then there's the
problem of knowing if the file has downloaded okay to delete the
temporary file[1].
I'd say this isn't a new problem! How have others achieved the same
thing on their sites?
8  1755 
Iain Napier wrote: I'd say this isn't a new problem! How have others achieved the same
thing on their sites?
It may not be the easiest solution, but it is the most effective..
considering storing the files in a mysql database. Many people forget
you can easily store and retrieve binary data from the db. This way,
you can highly control when and if the data stream is sent to the user
from the db, and it's nearly impossible for anyone to get data out of it
without properly authenticating via your scripts.. using this method,
there is no direct http path to the file.
Secondly, you can store the files outside of the webroot.. sounds like
you're using shared hosting here, so instead of putting the files in
your public_http, put them somewhere else, then your download script
just sources that file, whereever it is (fopen) and sends it..
--
alex ~ al**@aeshells.o rg ~ www.aeshells.org ~ www.aeirc.net ~
USER, n.:
The word computer professionals use when they mean "idiot."
alex wrote:
It may not be the easiest solution, but it is the most effective..
considering storing the files in a mysql database. Many people forget
you can easily store and retrieve binary data from the db. This way,
you can highly control when and if the data stream is sent to the user
from the db, and it's nearly impossible for anyone to get data out of it
without properly authenticating via your scripts.. using this method,
there is no direct http path to the file.
This certainly sounds the most secure option. Is this likely to give
the server much of a performance hit?
Secondly, you can store the files outside of the webroot.. sounds like
you're using shared hosting here, so instead of putting the files in
your public_http, put them somewhere else, then your download script
just sources that file, whereever it is (fopen) and sends it..
This is interesting.
However FTP'ing into the server dumps me chroot'd in wwwroot so I can't
directly upload files elsewhere, perhaps a PHP script would allow me
access to some other directories on the server though? (Is this likely?)
If I could execute a shell script from PHP to create another directory
and move uploaded files to it that could be a workaround.
I'll rustle up a script tomorrow to test it (It's nearly 3am!)
alex wrote:
Secondly, you can store the files outside of the webroot.. sounds like
you're using shared hosting here, so instead of putting the files in
your public_http, put them somewhere else, then your download script
just sources that file, whereever it is (fopen) and sends it..
I've just realised I can change permissions on this server, so if I
create a subdirectory in wwwroot called privatearea, put my file1.zip in
there and remove the public read permission, a web browser can't get
it's hands on it.
Now, I create a test.php in the same directory as file1.zip and using
$_SERVER['PATH_TRANSLATE D'], I get the full file system path to where my
files are. So:
$file="/full/path/to/my/wwwroot/privatearea/file1.zip"
if ($file_handle=f open($file,"r") ) echo("PHP can read the file!");
And I see PHP can read the file okay, but web browsers don't get direct
access to it.
Presumably I can now use fopen to send the data back via PHP?
Thanks for the pointer in your first post, I seem to be on the right
track now I hope. Tomorrow I'll try and work out how to have PHP send
the file back.. 3.30 am now :-\
Iain Napier wrote: alex wrote:
Secondly, you can store the files outside of the webroot.. sounds like
you're using shared hosting here, so instead of putting the files in
your public_http, put them somewhere else, then your download script
just sources that file, whereever it is (fopen) and sends it..
I've just realised I can change permissions on this server, so if I
create a subdirectory in wwwroot called privatearea, put my file1.zip in
there and remove the public read permission, a web browser can't get
it's hands on it.
it's been awhile since i used any shared hosting (three or four years at
least), but if it's *nix based (you don't use a windows host.. do you?)
you should have some sort of a /home/user dir.. normally including your
public_http, maybe a public_ftp, normally also an etc, and a few others
depending on your host for all the settings and such pertaining to your
account.. your host could of course be different.
Now, I create a test.php in the same directory as file1.zip and using
$_SERVER['PATH_TRANSLATE D'], I get the full file system path to where my
files are. So:
$file="/full/path/to/my/wwwroot/privatearea/file1.zip"
if ($file_handle=f open($file,"r") ) echo("PHP can read the file!");
And I see PHP can read the file okay, but web browsers don't get direct
access to it.
Presumably I can now use fopen to send the data back via PHP?
Thanks for the pointer in your first post, I seem to be on the right
track now I hope. Tomorrow I'll try and work out how to have PHP send
the file back.. 3.30 am now :-\
here is a bit of a script i use to open an a file and send it to the
client.. you can use this to help.. (keep in mind, when we send
headers, they must be the first thing sent, you can't have any output go
to the client first) (also, using this method, i always use the ob
buffer.. so all the headers and file stream are sent at the same time..
works this way for me.. ymmv
#------------------------------------
ob_start();
header('Content-type: application/x-gzip');
header('Content-Disposition: attachment; filename="' . $file . '"');
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
readfile($dir . $file);
ob_end_flush();
#------------------------------
be sure to modify the content-type for whatever you're sending
--
alex ~ al**@aeshells.o rg ~ www.aeshells.org ~ www.aeirc.net ~
USER, n.:
The word computer professionals use when they mean "idiot."
Following on from Iain Napier's message. . . I'm in the middle of developing a website with a downloads section.
It's a wad of educational software for an LEA which for obvious reasons
needs password protecting. Users have to authenticate before being
allowed to search and getting a link to the download.
Don't want the users to get at the files without logging in first, so I
created a script (filedownload.p hp) that adds the filename to the URL
query string (e.g., filedownload.ph p?file=file1.zi p)
filedownload.p hp then simply prepends the full name of where the files live:
Fine (when set to point outside the web root) so long as you know that
your security model is "the key's under the mat". Ie. the you can't
revoke permission to a single user, and you've opened up the complete
archive to all users.
BTW here is your starter for 10.
How steps should you take to stop somebody trying to access the php
sources by trying out a few possibilities like
"filedownload.p hp?file=../www/filedownload.ph p"?
--
PETER FOX Not the same since the bottom fell out of the bucket business pe******@eminen t.demon.co.uk.n ot.this.bit.no. html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.dem on.co.uk>
alex wrote:
here is a bit of a script i use to open an a file and send it to the
client.. you can use this to help.. (keep in mind, when we send
headers, they must be the first thing sent, you can't have any output go
to the client first) (also, using this method, i always use the ob
buffer.. so all the headers and file stream are sent at the same time..
works this way for me.. ymmv
#------------------------------------
ob_start();
header('Content-type: application/x-gzip');
header('Content-Disposition: attachment; filename="' . $file . '"');
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
readfile($dir . $file);
ob_end_flush();
#------------------------------
be sure to modify the content-type for whatever you're sending
That's worked brilliantly.
I've removed the world read attribute for all the files, and used your
chunk of code there to look at their absolute path on the web server.
No clients can view them directly via a browser, but they can read them
fine going via authentication then your script.
Just want I wanted! Many thanks :-)
Peter Fox wrote:
Fine (when set to point outside the web root) so long as you know that
your security model is "the key's under the mat". Ie. the you can't
revoke permission to a single user, and you've opened up the complete
archive to all users.
BTW here is your starter for 10.
How steps should you take to stop somebody trying to access the php
sources by trying out a few possibilities like
"filedownload.p hp?file=../www/filedownload.ph p"?
Hi Peter,
Thanks for the comments. All the filenames are stored in a MySQL
database, and the filename is validated against what's in there before
filedownload.ph p allows the user to get it.
"Iain Napier" <em************ *******@aol.com > wrote in message
news:XN******** ************@pi pex.net... alex wrote:
Secondly, you can store the files outside of the webroot.. sounds like
you're using shared hosting here, so instead of putting the files in your
public_http, put them somewhere else, then your download script just
sources that file, whereever it is (fopen) and sends it..
I've just realised I can change permissions on this server, so if I create
a subdirectory in wwwroot called privatearea, put my file1.zip in there
and remove the public read permission, a web browser can't get it's hands
on it.
Now, I create a test.php in the same directory as file1.zip and using
$_SERVER['PATH_TRANSLATE D'], I get the full file system path to where my
files are. So:
$file="/full/path/to/my/wwwroot/privatearea/file1.zip"
if ($file_handle=f open($file,"r") ) echo("PHP can read the file!");
And I see PHP can read the file okay, but web browsers don't get direct
access to it.
Presumably I can now use fopen to send the data back via PHP?
a better function might be readfile() because it reads the file and outputs
straight to the browser. all you need before it is header()s.
Thanks for the pointer in your first post, I seem to be on the right track
now I hope. Tomorrow I'll try and work out how to have PHP send the file
back.. 3.30 am now :-\ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: StevePBurgess |
last post by:
I have a data driven website. Part of the website is a downloads
section - all the downloads are help in a folder called "downloads".
When a general user (i.e. one that doesn't have a log in) uses the site
and access the downloads page they are given a list of general
downloads. When a member who has logged in uses the site, the same page
presents the general downloads and the member only downloads.
This all works fine.
A slight hole...
|
by: Roland Hall |
last post by:
I read Aaron's article: http://www.aspfaq.com/show.asp?id=2276 re:
protecting images from linked to by other sites. There is a link at the
bottom of that page that references an interesting article about ways of
protecting your images from being downloaded. It was my understanding that
if the client sees it, then it's in the client cache. Am I wrong in this
belief or not?
I took the information in the article and created the .asp that...
|
by: M.C. Radhakrishnan |
last post by:
Hi,
I need to provide a facility to do routine database administration
(backups, etc.) without allowing the logged in user to modify the
data in any of the SQL server tables. Is there any way to accomplish
this (such as maybe password protecting the tables or otherwise)? I am
fairly new to SQL server - so would appreciate any pointers to this.
Thanks a ton!
|
by: netsurfer |
last post by:
hi..I'm working on a project that requires files to be password
protected on a UNIX based site. The people that own the web site want
to be able to change the password every so often. Unfortunately, I
have restricted access only to FTP so I really can't log in to any kind
of Administrative Console or Admin Panel and see if there are folders
that can be password protected and then have passwords changed on them.
The people I'm contracted...
|
by: Sigurd Bruteig |
last post by:
Hi!
I have a passwordprotected backend. I just realised that you can download a
cracking application that can crack a password with up to 18 signs. I have
tryed it and it works. My question is: is there any other software capable
to crack password with more than 18 signs, and how long can a password be in
Access.
Sigurd
| | |
by: David Garamond |
last post by:
I read that the password hash in pg_shadow is salted with username. Is
this still the case? If so, since probably 99% of all PostgreSQL has
"postgres" as the superuser name, wouldn't it be better to use standard
Unix/Apache MD5 hash instead?
--
dave
---------------------------(end of broadcast)---------------------------
|
by: solomon_13000 |
last post by:
I am using ms access database and asp 3.0 as my front end. In my
database there is a table called account and a field called password.
How do I protect the password stored in the database.
|
by: Miro |
last post by:
Why Password protect an MDB when someone can google and get a hack?
Wondering if anyone else has thought of this and just said "oh well"...
I plan to password protect an MDB where I have some system/program variables
and data.
But looking in google, there are plenty of programs a user can download to
hack and crack that password.
|
by: =?Utf-8?B?am9uaWdy?= |
last post by:
I wrote a simple VB.NET application that imports and edits CSV files.
Now I’d like to “lock” the raw (pre-import) CSV files so these cannot be
opened separately. It is not high-sensitive data, I just don’t want folks to
peek in the files.
So time-consuming encryption is not necessary, just a simple
password-to-open that I can program in my application so it internally opens
the imported CSV file would be perfect, but I can’t...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing, and deploymentwithout human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupr who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
