From: Michael Stroh on 19 Feb 2010 13:19 I have a site I'm working on with some data that I want to be readable by anyone, but some files that I want to keep hidden from outside users. Here is an example of my file structure. /products/data1/item_1/data.txt /products/data2/item_2/data.txt I would like everything in data1 to be available by anyone who visits the site, but I want to keep items in the data2 folder to only be accessible through certain web page which I hope to eventually require logins. Some of these items I'd like to not only display but also allow people to download. My main concern is that I don't want people to be able to guess the names of the files and then be able to access the information on them. Every 'item' has an entry in a MySQL database which holds some information. I was thinking I could have randomly generated folder names to take the place of the things like 'item_2' such as /products/data2/kl23j42i/data.txt and then link the folder name through a database entry. But I'm not sure if there are more elegant or easier ways to deal with this. Plus someone could still just try randomly querying the site until they get a match. I'd first like to just create a web page where you can go to access the hidden files but would later like to add more control for other users using logins and passwords. Most of my files are just text files and images. Any suggestions? Thanks in advance! Michael
From: Bastien Koert on 19 Feb 2010 13:24 On Fri, Feb 19, 2010 at 1:19 PM, Michael Stroh <stroh(a)astroh.org> wrote: > I have a site I'm working on with some data that I want to be readable by anyone, but some files that I want to keep hidden from outside users. Here is an example of my file structure. > > /products/data1/item_1/data.txt > /products/data2/item_2/data.txt > > I would like everything in data1 to be available by anyone who visits the site, but I want to keep items in the data2 folder to only be accessible through certain web page which I hope to eventually require logins. Some of these items I'd like to not only display but also allow people to download. > > My main concern is that I don't want people to be able to guess the names of the files and then be able to access the information on them. Every 'item' has an entry in a MySQL database which holds some information. I was thinking I could have randomly generated folder names to take the place of the things like 'item_2' such as > > /products/data2/kl23j42i/data.txt > > and then link the folder name through a database entry. But I'm not sure if there are more elegant or easier ways to deal with this. Plus someone could still just try randomly querying the site until they get a match. I'd first like to just create a web page where you can go to access the hidden files but would later like to add more control for other users using logins and passwords. > > Most of my files are just text files and images. Any suggestions? > > Thanks in advance! > > Michael > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Place all those files above the web root, the use php to read in the data from the files when display that data to the user. -- Bastien Cat, the other other white meat
From: Rene Veerman on 19 Feb 2010 14:29 the "proper way" i know of is not the easiest to implement..; 1) create a php script that accepts enough parameters to get at your data. eg: /products/view.php?dataNr=1&itemNr=1 2) let that script compare the current user (visitor who's logged in) to authentication data that tells which it if the user can access the data requested. if it fails, you can route the user to a std page or to a custom page (store in auth-data under "onFail") 3) use apache's RewriteRule in /products/.htaccess to point virtual urls to the view script; /products/data1/item_1/data.txt = /products/view.php?dataNr=1&itemNr=1&file=data.txt (or something like that). the main problem here is how to properly store authentication data. how far to go depends on your (future) requirements. for my cms i went all the way and copied the unix filesystem permission architecture (incl the concept of users in groups) to work from mysql on an object-cloud (mapped to any "path(s)" elsewhere). but you can just as easilly just map userIDs to array records containing the keys that view.php works on. sorta like: global $permissions; $permissions = array ( 100 => array( array ( dataNr => 1, itemNr => 1, fileID => 'data.txt', mayRead => true, mayWrite => false ), (...other objects user 100 has permissions for...) userID => permissionsList ); you could use username instead of userid even, but i recommend against that if you're going to store user-definition records in a db, of course. On Fri, Feb 19, 2010 at 7:19 PM, Michael Stroh <stroh(a)astroh.org> wrote: > I have a site I'm working on with some data that I want to be readable by anyone, but some files that I want to keep hidden from outside users. Here is an example of my file structure. > > /products/data1/item_1/data.txt > /products/data2/item_2/data.txt > > I would like everything in data1 to be available by anyone who visits the site, but I want to keep items in the data2 folder to only be accessible through certain web page which I hope to eventually require logins. Some of these items I'd like to not only display but also allow people to download. > > My main concern is that I don't want people to be able to guess the names of the files and then be able to access the information on them. Every 'item' has an entry in a MySQL database which holds some information. I was thinking I could have randomly generated folder names to take the place of the things like 'item_2' such as > > /products/data2/kl23j42i/data.txt > > and then link the folder name through a database entry. But I'm not sure if there are more elegant or easier ways to deal with this. Plus someone could still just try randomly querying the site until they get a match. I'd first like to just create a web page where you can go to access the hidden files but would later like to add more control for other users using logins and passwords. > > Most of my files are just text files and images. Any suggestions? > > Thanks in advance! > > Michael > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
From: Rene Veerman on 19 Feb 2010 14:35 As far as storing the files, use a seperate subdirectory called "rawData" or something, and place all your files in there, aim for 10 - 5000 files per directory, and keep it logical. But since you want to stop guessers from accessing it, use a randomID() function that you create to generate a random subdirectory under "rawData". You could also use just the YYYY-MM-DD HH-MM-SS of the submit/upload-date for the file or the last-modification date of the file. Then create something that maps IDs (dataNr, itemNr, fileID) to the relative path under "rawData". Then let view.php readfile() and output the requested file, instead of sending any link to your "rawData"-subdirectory-location to the browser. It should be airtight then.
From: Rene Veerman on 19 Feb 2010 14:38 1 more thing: doing this right isn't easy. at all. it took me more than a year to "do it properly". you may wanna look around on sf.net for any package that can do this for you. On Fri, Feb 19, 2010 at 7:19 PM, Michael Stroh <stroh(a)astroh.org> wrote: > I have a site I'm working on with some data that I want to be readable by anyone, but some files that I want to keep hidden from outside users. Here is an example of my file structure. > > /products/data1/item_1/data.txt > /products/data2/item_2/data.txt > > I would like everything in data1 to be available by anyone who visits the site, but I want to keep items in the data2 folder to only be accessible through certain web page which I hope to eventually require logins. Some of these items I'd like to not only display but also allow people to download. > > My main concern is that I don't want people to be able to guess the names of the files and then be able to access the information on them. Every 'item' has an entry in a MySQL database which holds some information. I was thinking I could have randomly generated folder names to take the place of the things like 'item_2' such as > > /products/data2/kl23j42i/data.txt > > and then link the folder name through a database entry. But I'm not sure if there are more elegant or easier ways to deal with this. Plus someone could still just try randomly querying the site until they get a match. I'd first like to just create a web page where you can go to access the hidden files but would later like to add more control for other users using logins and passwords. > > Most of my files are just text files and images. Any suggestions? > > Thanks in advance! > > Michael > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
|
Next
|
Last
Pages: 1 2 3 Prev: Using base64 encode and decode to store user data in database Next: Max file size in fopen() |