how to secure documents in server

Re: how to secure documents in server

On Jul 18, 11:05 am, RAZZ <rajat82.gu...@ gmail.comwrote:Depending on webserver your should look at .htacceess for Apache or
httpd.ini for IIS...

Re: how to secure documents in server

On Jul 18, 3:08 pm, GArlington <garling...@tis cali.co.ukwrote :well we are using yahoo server and it doesn't allow .htaccess to
upload or manipulate by developers
so is there any other way? i just want that doc or xls files should
not be able to open directly unless person has properly login.

Re: how to secure documents in server

On 18 Jul, 11:14, RAJ <rajat82.gu...@ gmail.comwrote:You're not going to be able to do much on yahoo server I'm afraid. The
most common way to do this is to store the files outside of the web
root and use a php script to deliver the file.

I suggest you change hosts. There are much better value ones out there.

Re: how to secure documents in server

thank you for response can you suggest me bit in details regarding
"storing files outside of the web root and use a php script to deliver
the file"?

Re: how to secure documents in server

On 18 Jul, 11:36, RAZZ <rajat82.gu...@ gmail.comwrote:Actually another way to do it is to store the files in a BLOB field in
a database and delivering them from there. Here is a tutorial for that
and you could adapt it for the file system version:

Re: how to secure documents in server

On Jul 18, 3:50 pm, Captain Paralytic <paul_laut...@y ahoo.comwrote:That was really very good option but i have documents or doc files
which contains images and tables while downloading text are fine but
images and tables are coming in some encrypted format?

Re: how to secure documents in server

On 18 Jul, 12:31, RAZZ <rajat82.gu...@ gmail.comwrote:I don't understand??? What difference does it make what the document
contains? A binary file is a binary file is a binary file! It can
contain anything whatsoever???

Re: how to secure documents in server

RAZZ wrote:Pur ALL thes documents as large BLOB objects in a database: thats one
easy place to store them and one access methodd needed to restrict
access to what you want.

Re: how to secure documents in server

RAZZ wrote:
As ling as they are encapuslated IN the file, that doesn't matter. a
data base will store any file.

Re: how to secure documents in server

Captain Paralytic wrote:
I'm surprised this document doesn't mention how disastrous it can be
for the performance of a database. Only use for tiny binary data and a
limited amount of records, I'ld say... I would even vote to dismiss
LONGBLOB; it often creates more problems than it solves.

--
Bart

Re: how to secure documents in server

I do not know the details of your provider or host but if you can
store your documents outside of your documentroot, no one can access
your files directly. You can use php to store them and retrieve them.
I store the filename and mimetype in database (and some other
information), files are stored in a directory outside documentroot
where apache has read/write access (because users are allowed to
upload documents) (in my case the documents are even stored on another
server with NFS share). Once you obtained the filename and mimetype
from database and path from config file:

header("Cache-Control: max-age=60");
header('Content-type: ' . $filemime);
header("Content-Disposition: attachment; filename=\"" . $filename .
"\"");
readfile($filep ath . $filename);

It not only downloads the file but also asks if you want to open it
with the associated program (MS Word or OO Writer for *.doc, ...)

Pugi!

On 18 jul, 12:05, RAZZ <rajat82.gu...@ gmail.comwrote:

Re: how to secure documents in server

RAZZ wrote:There been those who already mentioned to store the files outside the web
servers "document root", this is the most secure method (of course depending
on the security of the script/application that supplies the file, in worst
case this can endanger the security of the whole server).

..htaccess and similar web server restrictions has the draw back that not
everyone offers this and it can be easy to do it the wrong way when
unexperienced with web server configuration.

The idea of storing binary files in a database is quite good, but it will
affect the sql server in a negative way, specially the larger the binary files
are.

A fourth method is to encrypt the files and store them in the "document root",
and the special download script decodes the file when downloaded by someone
with access to get the decrypted file. (this can be combined with all the
other methods too), this way someone accessing the file directly can't use it.

A lot simpler way is to rename the files to something quite random (md5 hash
the name, don't forget to salt it), store the hashed filename in a database
table where you have the original filename too. The download script in this
case will take an argument of the original filename, look in the database for
the hashed name, provides the file to the user (with header you send it as the
original name), this way you can't get the file with direct download unless
you know the hashed file name. If you combine this one with the previous
method, you should have a quite good false security on the files.



--

//Aho

Re: how to secure documents in server

J.O. Aho wrote:Ok, why should it take longer to pull a large file out of one locatin in
a database than one location in a filesssytem?

IME the things that slow databases down are not getting data out of
them, its performing complex relational queries.

Re: how to secure documents in server

Bart Van der Donck wrote:It doesn't because it isn't
I usually chunk the files into BLOBs