Security of user uploaded files

**Markus** · May 16 '08, 10:12 AM

Hm, interesting problem.

If the filename is guessable, people will be able to access it.

What you could do is keep changing the file name when downloaded.

Just a though,

*subscribing*

**ronverdonk** · May 16 '08, 11:14 AM

Another option is to do it as (some) publishers like SitePoint do it. You are here not able to download a file directly, even when you know the filename.

When you want to download you indicate that file after logging in. The site will then send you an e-mail with a link with the hashed bookname in it. Clicking that link only will download the file to you.

Ronald

**Atli** · May 16 '08, 12:30 PM

Hi.

You could also consider putting the file outside the web root, and have PHP output it only to users that have logged in.

Or just put the file into the Database and read it from there.

**TheServant** · May 16 '08, 12:54 PM

Originally posted by Atli

Hi.

You could also consider putting the file outside the web root, and have PHP output it only to users that have logged in.

Or just put the file into the Database and read it from there.

Yeah, I think if you want security, you will need a login system. Connected (but not requiring a login system) would be to use a database to record file name and a password to that file. So when a user requests a file, it will search the database and ask for the registered password (and registered name?) before it lets them download it.

**Jeigh** · May 16 '08, 01:43 PM

Yeah the site will have a registration / log in system, and the link will only be displayed to the logged in user however my problem is that, even though they are the only ones given the link, since the file is uploaded and in the FTP everyone has access to it if they can just guess the link.

So if they know the files are stored in /files, they could just randomly type like /files/oehno0wrhnqr32r jhw3.xls and get lucky, or even get some sort of brute force script to do it.

I thought I could add some sort of verification code that is stored in the database also so the link would be somthing like:

redirect.php?fi le=eweknr0932n0 rs.xls&v=929302 089

But obviously, I'm still faced with the same problem, it's just harder to guess.

Thanks for the responses.

**ronverdonk** · May 16 '08, 11:33 PM

Originally posted by Jeigh

....and in the FTP everyone has access to it if they can just guess the link....

You cannot be serious that your users have access to your server via FTP? If so, why on earth did you do that? And why not a simple download link to be clicked?

Ronald

**Jeigh** · May 17 '08, 01:21 AM

I may be missing somthing simple here, my users dont have access to the FTP but what I mean is if I upload a file say in files/xxxxx.jpg if I want one user to have access to it then all of them will be able to download it by just typing in mysite.com/files/xxxxx.jpg, however I only want the one user who uploaded it (which will be through a form on my site) to download it.

**Atli** · May 17 '08, 09:18 AM

Like I said before, the easiest solution would probably be to put the files outside the web root so that it can not be downloaded directly.
Either that or put it inside your database.

You could also set it's permission so that only it's owner (PHP, I would assume) has access to it. But that can be a little tricky. Check out the chmod function.

**Jeigh** · May 17 '08, 09:35 AM

Originally posted by Atli

Like I said before, the easiest solution would probably be to put the files outside the web root so that it can not be downloaded directly.
Either that or put it inside your database.

Thanks for the response but I'm not entirely sure what you mean, would you be able to elaborate on that at all?

**dlite922** · May 17 '08, 10:07 AM

Originally posted by Jeigh

Hello,

I'm going to start making a script that will allow users to upload a file, then re download it later. I'll basically be doing the following:

- The uploaded file will be given a string of random numbers / letters as the filename and uploaded to a folder.

- That random file name will be stored in the database along with the users username

- When the user logs in they will see a list of their files that they can download and they will link to the appropriate file on the site.

The only problem with this is that anyone will be able to access the file if they get the link. It is unlikely that they'd guess the file name but still there is a posibility so my question is:

Is there a way to make this system more secure, only allowing that same user to download the file again?

The files uploaded wont contain sensitive information however I certainly dont want it falling into the hands of certain people.

Atli has you going the right direction. The way most sites do this is by not prividing a direct link to a file but more of a "getter" file.

observer getFile.php?id= 388787533434

Here, getFile.php could look at the session and grab the user (or should know it already, then look up that id in the database and make sure the username matches. If so, then have php grab the file, ie what Atli suggested, that url to the file grabbed from the DB is not in a "public" directory accessable through the browser.

mysiteFiles/
mysiteFiles/uploadedFiles/
mysiteFiles/webroot/
mysiteFiles/webroot/index.php
mysiteFiles/webroot/getFile.php

In this example. webroot is public folder where your site is located. The directory where the uploaded files will be is outside this folder.

Good luck,

Dan

**Jeigh** · May 17 '08, 10:17 AM

Ah yes I see, so the /uploadedfiles folder I have to chmod so users can't access it, but by using the PHP script it will still allow them to download it?

Thanks for all the help I appreciate it.

**Atli** · May 18 '08, 01:50 AM

Originally posted by Jeigh

Ah yes I see, so the /uploadedfiles folder I have to chmod so users can't access it, but by using the PHP script it will still allow them to download it?

Thanks for all the help I appreciate it.

No there is no chmod needed in this scenario.

Say that the web root of www.example.com is /files/webroot/.
If you ask for www.example.com/dir/myfile.ext the HTTP server will try to serve the file at /files/webroot/dir/myfile.ext.

If you store your files in a folder outside the web root, for example /files/fileUploads/ no URL will make the HTTP server serve files from that directory. It is simply out of reach.

You can, however, have your PHP scripts read files from anywhere on the server, given that PHP has permission to read it.

So, if you have your PHP validate that a user is in fact logged in and should be able to download the file, you can have PHP *pretend* to be the file by echoing headers and outputting the contents of the file.

For example, if you have an image at /files/fileUploads/myImage.jpg and you have a PHP page inside the web-root at /files/webroot/downloadImage.p hp, containing the code:
[code=php]
$imagePath = "/files/fileUploads/myImage.jpg";
$imageMime = "image/jpeg";
$imageSize = file_size($imag ePath);

header("Content-Type: " . $imageMime);
header("Content-Length: " . $imageSize);

readfile($image Path);
[/code]
If you now ask for www.example.com/downloadImage.php, your browser will accept this .php file as an JPEG image, and display it as the original image.

**Markus** · May 18 '08, 10:04 AM

This could be a good article.

Anyone bothered if i write one for bytes?

Or does anyone want to co-write it?

**TheServant** · May 18 '08, 11:27 AM

Originally posted by markusn00b

This could be a good article.

Anyone bothered if i write one for bytes?

Or does anyone want to co-write it?

If u got the time to make it, I will make the time to read it!

Security of user uploaded files

Security of user uploaded files

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment