homepage Welcome to WebmasterWorld Guest from 54.226.147.84
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Protecting Files
Pico_Train

5+ Year Member



 
Msg#: 4347325 posted 6:45 pm on Aug 3, 2011 (gmt 0)

Hi,

I have an access controlled app. Users with access can upload documents. Documents are stored in a folder called folder/number/file.ext

When a user is logged in, I send them to get-file.php?file_id=3431&id=33333

in get-file.php I check they are logged in and have access to the page and if so redirect them to www.example.com/folder/number/file.ext

Now the problem is that if you are not logged in you can see - www.example.com/folder/number/file.ext

How do I get around this pretty serious issue with sensitive info?

thanks!

 

penders

WebmasterWorld Senior Member penders us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4347325 posted 7:14 pm on Aug 3, 2011 (gmt 0)

...and if so redirect them to www.example.com/folder/number/file.ext


Don't redirect them. readfile() this file and send it straight to the client, with the appropriate headers. The user never knows where the real file is located. Then you can simply password protect (HTTP Authentication) the real directory so that it's not accessible to any users, or have this directory above the webroot.

Pico_Train

5+ Year Member



 
Msg#: 4347325 posted 7:22 pm on Aug 3, 2011 (gmt 0)

ok cool, thanks a lot, will have a go tomorrow with this. By above the root, you mean above the public_html folder, right?

Thanks!

penders

WebmasterWorld Senior Member penders us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4347325 posted 7:30 pm on Aug 3, 2011 (gmt 0)

Yes, above the public_html folder (ie. $_SERVER['DOCUMENT_ROOT']). PHP should have no trouble accessing this area, but it's impossible for end users to access this area directly, and so you don't need to setup any additional security.

Pico_Train

5+ Year Member



 
Msg#: 4347325 posted 7:56 am on Aug 4, 2011 (gmt 0)

Great stuff, worked like a charm after a bit of tweaking.

Thanks so much for your help Penders. I really appreciate it.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved