473,326 Members | 2,048 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

Security of user uploaded files

73
Hello,

I'm going to start making a script that will allow users to upload a file, then re download it later. I'll basically be doing the following:

- The uploaded file will be given a string of random numbers / letters as the filename and uploaded to a folder.

- That random file name will be stored in the database along with the users username

- When the user logs in they will see a list of their files that they can download and they will link to the appropriate file on the site.

The only problem with this is that anyone will be able to access the file if they get the link. It is unlikely that they'd guess the file name but still there is a posibility so my question is:

Is there a way to make this system more secure, only allowing that same user to download the file again?

The files uploaded wont contain sensitive information however I certainly dont want it falling into the hands of certain people.
May 16 '08 #1
14 1821
Markus
6,050 Expert 4TB
Hm, interesting problem.

If the filename is guessable, people will be able to access it.

What you could do is keep changing the file name when downloaded.

Just a though,

*subscribing*
May 16 '08 #2
ronverdonk
4,258 Expert 4TB
Another option is to do it as (some) publishers like SitePoint do it. You are here not able to download a file directly, even when you know the filename.

When you want to download you indicate that file after logging in. The site will then send you an e-mail with a link with the hashed bookname in it. Clicking that link only will download the file to you.

Ronald
May 16 '08 #3
Atli
5,058 Expert 4TB
Hi.

You could also consider putting the file outside the web root, and have PHP output it only to users that have logged in.

Or just put the file into the Database and read it from there.
May 16 '08 #4
TheServant
1,168 Expert 1GB
Hi.

You could also consider putting the file outside the web root, and have PHP output it only to users that have logged in.

Or just put the file into the Database and read it from there.
Yeah, I think if you want security, you will need a login system. Connected (but not requiring a login system) would be to use a database to record file name and a password to that file. So when a user requests a file, it will search the database and ask for the registered password (and registered name?) before it lets them download it.
May 16 '08 #5
Jeigh
73
Yeah the site will have a registration / log in system, and the link will only be displayed to the logged in user however my problem is that, even though they are the only ones given the link, since the file is uploaded and in the FTP everyone has access to it if they can just guess the link.

So if they know the files are stored in /files, they could just randomly type like /files/oehno0wrhnqr32rjhw3.xls and get lucky, or even get some sort of brute force script to do it.

I thought I could add some sort of verification code that is stored in the database also so the link would be somthing like:

redirect.php?file=eweknr0932n0rs.xls&v=929302089

But obviously, I'm still faced with the same problem, it's just harder to guess.

Thanks for the responses.
May 16 '08 #6
ronverdonk
4,258 Expert 4TB
....and in the FTP everyone has access to it if they can just guess the link....
You cannot be serious that your users have access to your server via FTP? If so, why on earth did you do that? And why not a simple download link to be clicked?

Ronald
May 16 '08 #7
Jeigh
73
I may be missing somthing simple here, my users dont have access to the FTP but what I mean is if I upload a file say in files/xxxxx.jpg if I want one user to have access to it then all of them will be able to download it by just typing in mysite.com/files/xxxxx.jpg, however I only want the one user who uploaded it (which will be through a form on my site) to download it.
May 17 '08 #8
Atli
5,058 Expert 4TB
Like I said before, the easiest solution would probably be to put the files outside the web root so that it can not be downloaded directly.
Either that or put it inside your database.

You could also set it's permission so that only it's owner (PHP, I would assume) has access to it. But that can be a little tricky. Check out the chmod function.
May 17 '08 #9
Jeigh
73
Like I said before, the easiest solution would probably be to put the files outside the web root so that it can not be downloaded directly.
Either that or put it inside your database.
Thanks for the response but I'm not entirely sure what you mean, would you be able to elaborate on that at all?
May 17 '08 #10
dlite922
1,584 Expert 1GB
Hello,

I'm going to start making a script that will allow users to upload a file, then re download it later. I'll basically be doing the following:

- The uploaded file will be given a string of random numbers / letters as the filename and uploaded to a folder.

- That random file name will be stored in the database along with the users username

- When the user logs in they will see a list of their files that they can download and they will link to the appropriate file on the site.

The only problem with this is that anyone will be able to access the file if they get the link. It is unlikely that they'd guess the file name but still there is a posibility so my question is:

Is there a way to make this system more secure, only allowing that same user to download the file again?

The files uploaded wont contain sensitive information however I certainly dont want it falling into the hands of certain people.

Atli has you going the right direction. The way most sites do this is by not prividing a direct link to a file but more of a "getter" file.

observer getFile.php?id=388787533434

Here, getFile.php could look at the session and grab the user (or should know it already, then look up that id in the database and make sure the username matches. If so, then have php grab the file, ie what Atli suggested, that url to the file grabbed from the DB is not in a "public" directory accessable through the browser.

mysiteFiles/
mysiteFiles/uploadedFiles/
mysiteFiles/webroot/
mysiteFiles/webroot/index.php
mysiteFiles/webroot/getFile.php

In this example. webroot is public folder where your site is located. The directory where the uploaded files will be is outside this folder.

Good luck,

Dan
May 17 '08 #11
Jeigh
73
Ah yes I see, so the /uploadedfiles folder I have to chmod so users can't access it, but by using the PHP script it will still allow them to download it?

Thanks for all the help I appreciate it.
May 17 '08 #12
Atli
5,058 Expert 4TB
Ah yes I see, so the /uploadedfiles folder I have to chmod so users can't access it, but by using the PHP script it will still allow them to download it?

Thanks for all the help I appreciate it.
No there is no chmod needed in this scenario.

Say that the web root of www.example.com is /files/webroot/.
If you ask for www.example.com/dir/myfile.ext the HTTP server will try to serve the file at /files/webroot/dir/myfile.ext.

If you store your files in a folder outside the web root, for example /files/fileUploads/ no URL will make the HTTP server serve files from that directory. It is simply out of reach.

You can, however, have your PHP scripts read files from anywhere on the server, given that PHP has permission to read it.

So, if you have your PHP validate that a user is in fact logged in and should be able to download the file, you can have PHP *pretend* to be the file by echoing headers and outputting the contents of the file.

For example, if you have an image at /files/fileUploads/myImage.jpg and you have a PHP page inside the web-root at /files/webroot/downloadImage.php, containing the code:
Expand|Select|Wrap|Line Numbers
  1. $imagePath = "/files/fileUploads/myImage.jpg";
  2. $imageMime = "image/jpeg";
  3. $imageSize = file_size($imagePath);
  4.  
  5. header("Content-Type: " . $imageMime);
  6. header("Content-Length: " . $imageSize);
  7.  
  8. readfile($imagePath);
  9.  
If you now ask for www.example.com/downloadImage.php, your browser will accept this .php file as an JPEG image, and display it as the original image.
May 18 '08 #13
Markus
6,050 Expert 4TB
This could be a good article.

Anyone bothered if i write one for bytes?

Or does anyone want to co-write it?
May 18 '08 #14
TheServant
1,168 Expert 1GB
This could be a good article.

Anyone bothered if i write one for bytes?

Or does anyone want to co-write it?
If u got the time to make it, I will make the time to read it!
May 18 '08 #15

Sign in to post your reply or Sign up for a free account.

Similar topics

3
by: Philippe Lemmerling | last post by:
I have a question concerning security of my file upload script. I'm using the php upload routines (move_uploaded_file,...) and variables ($_FILES) to upload images to a webdirectory. Everything...
5
by: el_roachmeister | last post by:
I want to ask my web hosts to allow file uploads with php since it is currently turned off. I was wondering does this pose a security risk to the server? What kinds of things should I check in my...
3
by: Michael Rodriguez | last post by:
I have a web service that I am calling by digitally signing the message with WSE 2.0 SP2. It runs fine on my PC. I uploaded the WS to our server, and if I call that from my PC that also works...
2
by: Kenneth Myhra | last post by:
Hi all, We are trying to make an ISAPI Filter, in .NET by implementing the IHttpModule interface, that will authorize the request for certain binary file types (GET), this is working fine. But we...
0
by: wym | last post by:
I have written a web service that provides the following methods: UploadFile SetNTFSSecurity Their purpose is to allow a user to Upload a file to a shared folder with "Everyone" as permission...
0
by: Edward Low | last post by:
Hi, How should i allow user to upload multiple files in a page and display message on the page to inform the client the file is being uploading while the upload process still in progress? for...
4
by: sameer | last post by:
Hi all, my asp.net page lets the users uploads documents up to a folder on the webserver and then shows hyperlinks on a page pointing to these documents so that the user can click them open and...
3
by: Tyrone Slothrop | last post by:
I have created a script which attaches form uploaded files to an email. What security is suggested to prevent attachments which may contain viruses, etc. from being uploaded? I am running...
25
by: william.hooper | last post by:
here is my form: <html> <head></head> <body> <FORM ACTION="code.php" method="post"> <INPUT TYPE=SUBMIT NAME="arty.jpg" VALUE="Action"> </FORM>
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.