I think I have more or less got to grips with basic session management,
but I have a problem protecting a whole directory.
I am making a website with a members area. I have used some basic
session management to create a login page and then use the session to
control access to other pages.
I need to have a directory within the members area where the
organisation will upload files such as minutes of meetings, agendas,
etc. etc.. I want to be able to list the files in this directory on a
members only page, which I can do with opendir() readdir() etc. and some
formating to put links around the filenames.
My question is. How do I protect the files in that directory from being
accessed by somebody who knows the full path and file name?
Thanks
Chris
The site in question is http://www.rba.org.fk 8 13485
In article <bt************@ID-134007.news.uni-berlin.de>, Chris Harris wrote: My question is. How do I protect the files in that directory from being accessed by somebody who knows the full path and file name?
If you're using a linux/unix server, google .htaccess.
--
[ Sugapablo ]
[ http://www.sugapablo.com <--music ]
[ http://www.sugapablo.net <--personal ]
[ su*******@12jabber.com <--jabber IM ]
"Chris Harris" <ch**********@cwfi.co.fk> wrote in message
news:bt************@ID-134007.news.uni-berlin.de... I think I have more or less got to grips with basic session management, but I have a problem protecting a whole directory.
I am making a website with a members area. I have used some basic session management to create a login page and then use the session to control access to other pages.
I need to have a directory within the members area where the organisation will upload files such as minutes of meetings, agendas, etc. etc.. I want to be able to list the files in this directory on a members only page, which I can do with opendir() readdir() etc. and some formating to put links around the filenames.
My question is. How do I protect the files in that directory from being accessed by somebody who knows the full path and file name?
Thanks Chris
The site in question is http://www.rba.org.fk
That depends on what you mean by "knows the full path"
your scripts should not allow path modifers in any post/get, ie
"../someohter/dir"
now if your talking about a shared hosting server, and someone else comming
along and writing a script that gets your files, well, get your own server,
or encrypt the data.
--
Mike Bradley http://www.gzentools.com -- free online php tools
Save the file in a folder that's not accessible through Apache, then use a
PHP script for file downloading:
<a href="download.php?file=whatsup.doc"> ... </a>
download.php:
$file = basename($file);
$filepath = "$download_folder/$file";
.... check to see if user is logged in ...
header("Content-type: application/x-octet-stream");
header("Content-Disposition: attachment; filename=$file");
session_write_close();
readfile($filepath);
Saving user uploaded file in an Apache-accessible folder is rather
dangerous. If you forget to disable scripting on that folder, you could end
up allowing execution of arbitrary code on your server.
Uzytkownik "Chris Harris" <ch**********@cwfi.co.fk> napisal w wiadomosci
news:bt************@ID-134007.news.uni-berlin.de... I think I have more or less got to grips with basic session management, but I have a problem protecting a whole directory.
I am making a website with a members area. I have used some basic session management to create a login page and then use the session to control access to other pages.
I need to have a directory within the members area where the organisation will upload files such as minutes of meetings, agendas, etc. etc.. I want to be able to list the files in this directory on a members only page, which I can do with opendir() readdir() etc. and some formating to put links around the filenames.
My question is. How do I protect the files in that directory from being accessed by somebody who knows the full path and file name?
Thanks Chris
The site in question is http://www.rba.org.fk
Chung Leong wrote: Save the file in a folder that's not accessible through Apache, then use a PHP script for file downloading:
<a href="download.php?file=whatsup.doc"> ... </a>
download.php:
$file = basename($file); $filepath = "$download_folder/$file";
... check to see if user is logged in ...
header("Content-type: application/x-octet-stream"); header("Content-Disposition: attachment; filename=$file"); session_write_close(); readfile($filepath);
Saving user uploaded file in an Apache-accessible folder is rather dangerous. If you forget to disable scripting on that folder, you could end up allowing execution of arbitrary code on your server.
Thanks that seems to make sense, I'll go off and play. The server is not
Apache, Zeus I think off the top of my head.
Chris
Sugapablo wrote: In article <bt************@ID-134007.news.uni-berlin.de>, Chris Harris wrote:
My question is. How do I protect the files in that directory from being accessed by somebody who knows the full path and file name?
If you're using a linux/unix server, google .htaccess.
Looked at that, but I can't get to grips with it. I want to use the php
session management, and not the http authentication activated by .htaccess.
It seems to me that I have to use one or the other; is that right? That depends on what you mean by "knows the full path"
What I meant was that for example a file is located at www.yoururl.com/membersonly/docs/somedoc.
Members only can't be listed (.htaccess), neither can docs, but if
somebody knows the full path and name they can enter that url in their
browser and go straight to it.
I know I'm missing something fundamental here, but don't know enough
about the subject to identify the fundamental ;-)
Chris
as was mentiond here, save the files some where else.
ex:
/useraccount/www
/useraccount/logs
/useraccount/download_files
yuour script can get to it by "../download_files/filename" but URLs: http://www....... can not.
--
Mike Bradley http://www.gzentools.com -- free online php tools
"Chris Harris" <ch**********@cwfi.co.fk> wrote in message
news:bt************@ID-134007.news.uni-berlin.de... That depends on what you mean by "knows the full path"
What I meant was that for example a file is located at
www.yoururl.com/membersonly/docs/somedoc.
Members only can't be listed (.htaccess), neither can docs, but if somebody knows the full path and name they can enter that url in their browser and go straight to it.
I know I'm missing something fundamental here, but don't know enough about the subject to identify the fundamental ;-)
Chris
CountScubula wrote: as was mentiond here, save the files some where else.
ex:
/useraccount/www /useraccount/logs /useraccount/download_files
yuour script can get to it by "../download_files/filename" but URLs: http://www....... can not.
OK got you now with that bit.. and I found something in .htaccess that
helps the "access from" tag thingy means that I can set it to allow
access only from the members directory of my domain.
I'll do as you suggest and mover the dir though.
thanks This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: pembed2003 |
last post by:
Hi All,
I am trying to restrict access of PHP script to a single directory
only. How can I do that? I am running Apache 1.3 and PHP 4 in Linux. I
think I need to use the Directory and SetHandler...
|
by: James |
last post by:
Hi,
I am running a virtual hosting server. The configuration of server is
as follows:
Windows 2000
IIS 5.0
All the virtual hosting sites are running as seperate user ie for the
site...
|
by: Paul |
last post by:
Hi all, at present I I've built a website which can be updated by admin and
users.
My problem, I've combined "log in" and "access levels" to restrict access to
certain pages, using the built...
|
by: Jaydeep |
last post by:
Hi,
I want to restrict any user if he types url directly in the browser
without logging to my site. Like for example user should not see any listing
page of my web site by typing url...
|
by: Dave |
last post by:
We have an intranet application that is under Integrated security. So in
theory, anyone who has an Active Directory account in the company can access
my app.
So, to allow only certain users, I...
|
by: Chris Fulstow |
last post by:
Hi,
I need to restirict access at the page level to a range of IP
addresses. What's the best approach? I thought of building an HTTP
module that could compare the requesting IP with a...
|
by: teddysnips |
last post by:
One of my clients has asked me to make a change to one of their Access
applications.
The application is a Front End/Back End standard app. I didn't
develop it, but looking at it tells me that...
|
by: phpnoob |
last post by:
I have a php script that processes a form and then posts the user
input to a data file on the server in a comma delimited format. For
simplicity call the file "data.csv." The script is working...
|
by: gracepaul |
last post by:
hi,
I had created a web application in c#. It is uploaded and going smoothly. Now the request of the client is to restrict the access of their site. They want access only in some machines(Not in...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |