restrict access to directory

Re: restrict access to directory

In article <btq5n5$99hcj$1 @ID-134007.news.uni-berlin.de>, Chris Harris wrote:[color=blue]
>
> My question is. How do I protect the files in that directory from being
> accessed by somebody who knows the full path and file name?[/color]

If you're using a linux/unix server, google .htaccess.

--
[ Sugapablo ]
[ http://www.sugapablo.com <--music ]
[ http://www.sugapablo.net <--personal ]
[ sugapablo@12jab ber.com <--jabber IM ]

Re: restrict access to directory

"Chris Harris" <chris.harris@c wfi.co.fk> wrote in message
news:btq5n5$99h cj$1@ID-134007.news.uni-berlin.de...[color=blue]
> I think I have more or less got to grips with basic session management,
> but I have a problem protecting a whole directory.
>
> I am making a website with a members area. I have used some basic
> session management to create a login page and then use the session to
> control access to other pages.
>
> I need to have a directory within the members area where the
> organisation will upload files such as minutes of meetings, agendas,
> etc. etc.. I want to be able to list the files in this directory on a
> members only page, which I can do with opendir() readdir() etc. and some
> formating to put links around the filenames.
>
> My question is. How do I protect the files in that directory from being
> accessed by somebody who knows the full path and file name?
>
> Thanks
> Chris
>
> The site in question is http://www.rba.org.fk
>[/color]



That depends on what you mean by "knows the full path"

your scripts should not allow path modifers in any post/get, ie
"../someohter/dir"

now if your talking about a shared hosting server, and someone else comming
along and writing a script that gets your files, well, get your own server,
or encrypt the data.

--
Mike Bradley
http://www.gzentools.com -- free online php tools

Re: restrict access to directory

Save the file in a folder that's not accessible through Apache, then use a
PHP script for file downloading:

<a href="download. php?file=whatsu p.doc"> ... </a>

download.php:

$file = basename($file) ;
$filepath = "$download_fold er/$file";

.... check to see if user is logged in ...

header("Content-type: application/x-octet-stream");
header("Content-Disposition: attachment; filename=$file" );
session_write_c lose();
readfile($filep ath);

Saving user uploaded file in an Apache-accessible folder is rather
dangerous. If you forget to disable scripting on that folder, you could end
up allowing execution of arbitrary code on your server.

Uzytkownik "Chris Harris" <chris.harris@c wfi.co.fk> napisal w wiadomosci
news:btq5n5$99h cj$1@ID-134007.news.uni-berlin.de...[color=blue]
> I think I have more or less got to grips with basic session management,
> but I have a problem protecting a whole directory.
>
> I am making a website with a members area. I have used some basic
> session management to create a login page and then use the session to
> control access to other pages.
>
> I need to have a directory within the members area where the
> organisation will upload files such as minutes of meetings, agendas,
> etc. etc.. I want to be able to list the files in this directory on a
> members only page, which I can do with opendir() readdir() etc. and some
> formating to put links around the filenames.
>
> My question is. How do I protect the files in that directory from being
> accessed by somebody who knows the full path and file name?
>
> Thanks
> Chris
>
> The site in question is http://www.rba.org.fk
>[/color]

Re: restrict access to directory

Chung Leong wrote:[color=blue]
> Save the file in a folder that's not accessible through Apache, then use a
> PHP script for file downloading:
>
> <a href="download. php?file=whatsu p.doc"> ... </a>
>
> download.php:
>
> $file = basename($file) ;
> $filepath = "$download_fold er/$file";
>
> ... check to see if user is logged in ...
>
> header("Content-type: application/x-octet-stream");
> header("Content-Disposition: attachment; filename=$file" );
> session_write_c lose();
> readfile($filep ath);
>
> Saving user uploaded file in an Apache-accessible folder is rather
> dangerous. If you forget to disable scripting on that folder, you could end
> up allowing execution of arbitrary code on your server.[/color]
Thanks that seems to make sense, I'll go off and play. The server is not
Apache, Zeus I think off the top of my head.

Chris

Re: restrict access to directory

Sugapablo wrote:[color=blue]
> In article <btq5n5$99hcj$1 @ID-134007.news.uni-berlin.de>, Chris Harris wrote:
>[color=green]
>>My question is. How do I protect the files in that directory from being
>>accessed by somebody who knows the full path and file name?[/color]
>
>
> If you're using a linux/unix server, google .htaccess.
>[/color]
Looked at that, but I can't get to grips with it. I want to use the php
session management, and not the http authentication activated by .htaccess.

It seems to me that I have to use one or the other; is that right?

Re: restrict access to directory

[color=blue]
> That depends on what you mean by "knows the full path"[/color]

What I meant was that for example a file is located at

www.yoururl.com/membersonly/docs/somedoc.

Members only can't be listed (.htaccess), neither can docs, but if
somebody knows the full path and name they can enter that url in their
browser and go straight to it.

I know I'm missing something fundamental here, but don't know enough
about the subject to identify the fundamental ;-)

Chris

Re: restrict access to directory

as was mentiond here, save the files some where else.

ex:

/useraccount/www
/useraccount/logs
/useraccount/download_files

yuour script can get to it by "../download_files/filename" but URLs:
http://www....... can not.

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Chris Harris" <chris.harris@c wfi.co.fk> wrote in message
news:btriqn$ajh 8d$1@ID-134007.news.uni-berlin.de...[color=blue]
>[color=green]
> > That depends on what you mean by "knows the full path"[/color]
>
> What I meant was that for example a file is located at
>
> www.yoururl.com/membersonly/docs/somedoc.
>
> Members only can't be listed (.htaccess), neither can docs, but if
> somebody knows the full path and name they can enter that url in their
> browser and go straight to it.
>
> I know I'm missing something fundamental here, but don't know enough
> about the subject to identify the fundamental ;-)
>
> Chris
>[/color]

Re: restrict access to directory

CountScubula wrote:[color=blue]
> as was mentiond here, save the files some where else.
>
> ex:
>
> /useraccount/www
> /useraccount/logs
> /useraccount/download_files
>
> yuour script can get to it by "../download_files/filename" but URLs:
> http://www....... can not.[/color]

OK got you now with that bit.. and I found something in .htaccess that
helps the "access from" tag thingy means that I can set it to allow
access only from the members directory of my domain.

I'll do as you suggest and mover the dir though.

thanks