469,350 Members | 1,757 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,350 developers. It's quick & easy.

restrict access to directory

I think I have more or less got to grips with basic session management,
but I have a problem protecting a whole directory.

I am making a website with a members area. I have used some basic
session management to create a login page and then use the session to
control access to other pages.

I need to have a directory within the members area where the
organisation will upload files such as minutes of meetings, agendas,
etc. etc.. I want to be able to list the files in this directory on a
members only page, which I can do with opendir() readdir() etc. and some
formating to put links around the filenames.

My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?

Thanks
Chris

The site in question is http://www.rba.org.fk

Jul 17 '05 #1
8 13319
In article <bt************@ID-134007.news.uni-berlin.de>, Chris Harris wrote:

My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?


If you're using a linux/unix server, google .htaccess.

--
[ Sugapablo ]
[ http://www.sugapablo.com <--music ]
[ http://www.sugapablo.net <--personal ]
[ su*******@12jabber.com <--jabber IM ]
Jul 17 '05 #2
"Chris Harris" <ch**********@cwfi.co.fk> wrote in message
news:bt************@ID-134007.news.uni-berlin.de...
I think I have more or less got to grips with basic session management,
but I have a problem protecting a whole directory.

I am making a website with a members area. I have used some basic
session management to create a login page and then use the session to
control access to other pages.

I need to have a directory within the members area where the
organisation will upload files such as minutes of meetings, agendas,
etc. etc.. I want to be able to list the files in this directory on a
members only page, which I can do with opendir() readdir() etc. and some
formating to put links around the filenames.

My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?

Thanks
Chris

The site in question is http://www.rba.org.fk


That depends on what you mean by "knows the full path"

your scripts should not allow path modifers in any post/get, ie
"../someohter/dir"

now if your talking about a shared hosting server, and someone else comming
along and writing a script that gets your files, well, get your own server,
or encrypt the data.

--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #3
Save the file in a folder that's not accessible through Apache, then use a
PHP script for file downloading:

<a href="download.php?file=whatsup.doc"> ... </a>

download.php:

$file = basename($file);
$filepath = "$download_folder/$file";

.... check to see if user is logged in ...

header("Content-type: application/x-octet-stream");
header("Content-Disposition: attachment; filename=$file");
session_write_close();
readfile($filepath);

Saving user uploaded file in an Apache-accessible folder is rather
dangerous. If you forget to disable scripting on that folder, you could end
up allowing execution of arbitrary code on your server.

Uzytkownik "Chris Harris" <ch**********@cwfi.co.fk> napisal w wiadomosci
news:bt************@ID-134007.news.uni-berlin.de...
I think I have more or less got to grips with basic session management,
but I have a problem protecting a whole directory.

I am making a website with a members area. I have used some basic
session management to create a login page and then use the session to
control access to other pages.

I need to have a directory within the members area where the
organisation will upload files such as minutes of meetings, agendas,
etc. etc.. I want to be able to list the files in this directory on a
members only page, which I can do with opendir() readdir() etc. and some
formating to put links around the filenames.

My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?

Thanks
Chris

The site in question is http://www.rba.org.fk

Jul 17 '05 #4
Chung Leong wrote:
Save the file in a folder that's not accessible through Apache, then use a
PHP script for file downloading:

<a href="download.php?file=whatsup.doc"> ... </a>

download.php:

$file = basename($file);
$filepath = "$download_folder/$file";

... check to see if user is logged in ...

header("Content-type: application/x-octet-stream");
header("Content-Disposition: attachment; filename=$file");
session_write_close();
readfile($filepath);

Saving user uploaded file in an Apache-accessible folder is rather
dangerous. If you forget to disable scripting on that folder, you could end
up allowing execution of arbitrary code on your server.

Thanks that seems to make sense, I'll go off and play. The server is not
Apache, Zeus I think off the top of my head.

Chris

Jul 17 '05 #5
Sugapablo wrote:
In article <bt************@ID-134007.news.uni-berlin.de>, Chris Harris wrote:
My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?

If you're using a linux/unix server, google .htaccess.

Looked at that, but I can't get to grips with it. I want to use the php
session management, and not the http authentication activated by .htaccess.

It seems to me that I have to use one or the other; is that right?

Jul 17 '05 #6
That depends on what you mean by "knows the full path"


What I meant was that for example a file is located at

www.yoururl.com/membersonly/docs/somedoc.

Members only can't be listed (.htaccess), neither can docs, but if
somebody knows the full path and name they can enter that url in their
browser and go straight to it.

I know I'm missing something fundamental here, but don't know enough
about the subject to identify the fundamental ;-)

Chris

Jul 17 '05 #7
as was mentiond here, save the files some where else.

ex:

/useraccount/www
/useraccount/logs
/useraccount/download_files

yuour script can get to it by "../download_files/filename" but URLs:
http://www....... can not.

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Chris Harris" <ch**********@cwfi.co.fk> wrote in message
news:bt************@ID-134007.news.uni-berlin.de...
That depends on what you mean by "knows the full path"


What I meant was that for example a file is located at

www.yoururl.com/membersonly/docs/somedoc.

Members only can't be listed (.htaccess), neither can docs, but if
somebody knows the full path and name they can enter that url in their
browser and go straight to it.

I know I'm missing something fundamental here, but don't know enough
about the subject to identify the fundamental ;-)

Chris

Jul 17 '05 #8
CountScubula wrote:
as was mentiond here, save the files some where else.

ex:

/useraccount/www
/useraccount/logs
/useraccount/download_files

yuour script can get to it by "../download_files/filename" but URLs:
http://www....... can not.


OK got you now with that bit.. and I found something in .htaccess that
helps the "access from" tag thingy means that I can set it to allow
access only from the members directory of my domain.

I'll do as you suggest and mover the dir though.

thanks

Jul 17 '05 #9

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by pembed2003 | last post: by
3 posts views Thread by Paul | last post: by
7 posts views Thread by Chris Fulstow | last post: by
2 posts views Thread by phpnoob | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
1 post views Thread by Marylou17 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.