473,394 Members | 1,278 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,394 software developers and data experts.

restrict access to directory

I think I have more or less got to grips with basic session management,
but I have a problem protecting a whole directory.

I am making a website with a members area. I have used some basic
session management to create a login page and then use the session to
control access to other pages.

I need to have a directory within the members area where the
organisation will upload files such as minutes of meetings, agendas,
etc. etc.. I want to be able to list the files in this directory on a
members only page, which I can do with opendir() readdir() etc. and some
formating to put links around the filenames.

My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?

Thanks
Chris

The site in question is http://www.rba.org.fk

Jul 17 '05 #1
8 13484
In article <bt************@ID-134007.news.uni-berlin.de>, Chris Harris wrote:

My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?


If you're using a linux/unix server, google .htaccess.

--
[ Sugapablo ]
[ http://www.sugapablo.com <--music ]
[ http://www.sugapablo.net <--personal ]
[ su*******@12jabber.com <--jabber IM ]
Jul 17 '05 #2
"Chris Harris" <ch**********@cwfi.co.fk> wrote in message
news:bt************@ID-134007.news.uni-berlin.de...
I think I have more or less got to grips with basic session management,
but I have a problem protecting a whole directory.

I am making a website with a members area. I have used some basic
session management to create a login page and then use the session to
control access to other pages.

I need to have a directory within the members area where the
organisation will upload files such as minutes of meetings, agendas,
etc. etc.. I want to be able to list the files in this directory on a
members only page, which I can do with opendir() readdir() etc. and some
formating to put links around the filenames.

My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?

Thanks
Chris

The site in question is http://www.rba.org.fk


That depends on what you mean by "knows the full path"

your scripts should not allow path modifers in any post/get, ie
"../someohter/dir"

now if your talking about a shared hosting server, and someone else comming
along and writing a script that gets your files, well, get your own server,
or encrypt the data.

--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #3
Save the file in a folder that's not accessible through Apache, then use a
PHP script for file downloading:

<a href="download.php?file=whatsup.doc"> ... </a>

download.php:

$file = basename($file);
$filepath = "$download_folder/$file";

.... check to see if user is logged in ...

header("Content-type: application/x-octet-stream");
header("Content-Disposition: attachment; filename=$file");
session_write_close();
readfile($filepath);

Saving user uploaded file in an Apache-accessible folder is rather
dangerous. If you forget to disable scripting on that folder, you could end
up allowing execution of arbitrary code on your server.

Uzytkownik "Chris Harris" <ch**********@cwfi.co.fk> napisal w wiadomosci
news:bt************@ID-134007.news.uni-berlin.de...
I think I have more or less got to grips with basic session management,
but I have a problem protecting a whole directory.

I am making a website with a members area. I have used some basic
session management to create a login page and then use the session to
control access to other pages.

I need to have a directory within the members area where the
organisation will upload files such as minutes of meetings, agendas,
etc. etc.. I want to be able to list the files in this directory on a
members only page, which I can do with opendir() readdir() etc. and some
formating to put links around the filenames.

My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?

Thanks
Chris

The site in question is http://www.rba.org.fk

Jul 17 '05 #4
Chung Leong wrote:
Save the file in a folder that's not accessible through Apache, then use a
PHP script for file downloading:

<a href="download.php?file=whatsup.doc"> ... </a>

download.php:

$file = basename($file);
$filepath = "$download_folder/$file";

... check to see if user is logged in ...

header("Content-type: application/x-octet-stream");
header("Content-Disposition: attachment; filename=$file");
session_write_close();
readfile($filepath);

Saving user uploaded file in an Apache-accessible folder is rather
dangerous. If you forget to disable scripting on that folder, you could end
up allowing execution of arbitrary code on your server.

Thanks that seems to make sense, I'll go off and play. The server is not
Apache, Zeus I think off the top of my head.

Chris

Jul 17 '05 #5
Sugapablo wrote:
In article <bt************@ID-134007.news.uni-berlin.de>, Chris Harris wrote:
My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?

If you're using a linux/unix server, google .htaccess.

Looked at that, but I can't get to grips with it. I want to use the php
session management, and not the http authentication activated by .htaccess.

It seems to me that I have to use one or the other; is that right?

Jul 17 '05 #6
That depends on what you mean by "knows the full path"


What I meant was that for example a file is located at

www.yoururl.com/membersonly/docs/somedoc.

Members only can't be listed (.htaccess), neither can docs, but if
somebody knows the full path and name they can enter that url in their
browser and go straight to it.

I know I'm missing something fundamental here, but don't know enough
about the subject to identify the fundamental ;-)

Chris

Jul 17 '05 #7
as was mentiond here, save the files some where else.

ex:

/useraccount/www
/useraccount/logs
/useraccount/download_files

yuour script can get to it by "../download_files/filename" but URLs:
http://www....... can not.

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Chris Harris" <ch**********@cwfi.co.fk> wrote in message
news:bt************@ID-134007.news.uni-berlin.de...
That depends on what you mean by "knows the full path"


What I meant was that for example a file is located at

www.yoururl.com/membersonly/docs/somedoc.

Members only can't be listed (.htaccess), neither can docs, but if
somebody knows the full path and name they can enter that url in their
browser and go straight to it.

I know I'm missing something fundamental here, but don't know enough
about the subject to identify the fundamental ;-)

Chris

Jul 17 '05 #8
CountScubula wrote:
as was mentiond here, save the files some where else.

ex:

/useraccount/www
/useraccount/logs
/useraccount/download_files

yuour script can get to it by "../download_files/filename" but URLs:
http://www....... can not.


OK got you now with that bit.. and I found something in .htaccess that
helps the "access from" tag thingy means that I can set it to allow
access only from the members directory of my domain.

I'll do as you suggest and mover the dir though.

thanks

Jul 17 '05 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: pembed2003 | last post by:
Hi All, I am trying to restrict access of PHP script to a single directory only. How can I do that? I am running Apache 1.3 and PHP 4 in Linux. I think I need to use the Directory and SetHandler...
0
by: James | last post by:
Hi, I am running a virtual hosting server. The configuration of server is as follows: Windows 2000 IIS 5.0 All the virtual hosting sites are running as seperate user ie for the site...
3
by: Paul | last post by:
Hi all, at present I I've built a website which can be updated by admin and users. My problem, I've combined "log in" and "access levels" to restrict access to certain pages, using the built...
2
by: Jaydeep | last post by:
Hi, I want to restrict any user if he types url directly in the browser without logging to my site. Like for example user should not see any listing page of my web site by typing url...
1
by: Dave | last post by:
We have an intranet application that is under Integrated security. So in theory, anyone who has an Active Directory account in the company can access my app. So, to allow only certain users, I...
7
by: Chris Fulstow | last post by:
Hi, I need to restirict access at the page level to a range of IP addresses. What's the best approach? I thought of building an HTTP module that could compare the requesting IP with a...
17
by: teddysnips | last post by:
One of my clients has asked me to make a change to one of their Access applications. The application is a Front End/Back End standard app. I didn't develop it, but looking at it tells me that...
2
by: phpnoob | last post by:
I have a php script that processes a form and then posts the user input to a data file on the server in a comma delimited format. For simplicity call the file "data.csv." The script is working...
5
by: gracepaul | last post by:
hi, I had created a web application in c#. It is uploaded and going smoothly. Now the request of the client is to restrict the access of their site. They want access only in some machines(Not in...
0
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
0
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
0
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
0
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
0
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
0
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.