Welcome to WebmasterWorld Guest from 23.22.220.37

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Protecting Files

     
6:45 pm on Aug 3, 2011 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 4, 2005
posts:621
votes: 0


Hi,

I have an access controlled app. Users with access can upload documents. Documents are stored in a folder called folder/number/file.ext

When a user is logged in, I send them to get-file.php?file_id=3431&id=33333

in get-file.php I check they are logged in and have access to the page and if so redirect them to www.example.com/folder/number/file.ext

Now the problem is that if you are not logged in you can see - www.example.com/folder/number/file.ext

How do I get around this pretty serious issue with sensitive info?

thanks!
7:14 pm on Aug 3, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0


...and if so redirect them to www.example.com/folder/number/file.ext


Don't redirect them. readfile() this file and send it straight to the client, with the appropriate headers. The user never knows where the real file is located. Then you can simply password protect (HTTP Authentication) the real directory so that it's not accessible to any users, or have this directory above the webroot.
7:22 pm on Aug 3, 2011 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 4, 2005
posts:621
votes: 0


ok cool, thanks a lot, will have a go tomorrow with this. By above the root, you mean above the public_html folder, right?

Thanks!
7:30 pm on Aug 3, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0


Yes, above the public_html folder (ie. $_SERVER['DOCUMENT_ROOT']). PHP should have no trouble accessing this area, but it's impossible for end users to access this area directly, and so you don't need to setup any additional security.
7:56 am on Aug 4, 2011 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 4, 2005
posts:621
votes: 0


Great stuff, worked like a charm after a bit of tweaking.

Thanks so much for your help Penders. I really appreciate it.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members