Protecting Files

Forum Moderators: coopster

Message Too Old, No Replies

Protecting Files

Pico_Train

6:45 pm on Aug 3, 2011 (gmt 0)

Hi,

I have an access controlled app. Users with access can upload documents. Documents are stored in a folder called folder/number/file.ext

When a user is logged in, I send them to get-file.php?file_id=3431&id=33333

in get-file.php I check they are logged in and have access to the page and if so redirect them to www.example.com/folder/number/file.ext

Now the problem is that if you are not logged in you can see - www.example.com/folder/number/file.ext

How do I get around this pretty serious issue with sensitive info?

thanks!

penders

7:14 pm on Aug 3, 2011 (gmt 0)

...and if so redirect them to www.example.com/folder/number/file.ext

Don't redirect them. readfile() this file and send it straight to the client, with the appropriate headers. The user never knows where the real file is located. Then you can simply password protect (HTTP Authentication) the real directory so that it's not accessible to any users, or have this directory above the webroot.

Pico_Train

7:22 pm on Aug 3, 2011 (gmt 0)

ok cool, thanks a lot, will have a go tomorrow with this. By above the root, you mean above the public_html folder, right?

Thanks!

penders

7:30 pm on Aug 3, 2011 (gmt 0)

Yes, above the public_html folder (ie. $_SERVER['DOCUMENT_ROOT']). PHP should have no trouble accessing this area, but it's impossible for end users to access this area directly, and so you don't need to setup any additional security.

Pico_Train

7:56 am on Aug 4, 2011 (gmt 0)

Great stuff, worked like a charm after a bit of tweaking.

Thanks so much for your help Penders. I really appreciate it.