Hi all,

We have a site and we have created an admin section where the admin can
upload documents.

We have made a user login section where they can view a list of the
documents (from the DB) and download the file.

We want to make the site however not allow ppl to type in the path of the
document and retrieve the file. How is this accomplished?

Are the documents stored in a hidden / non-web accessible directory?

Or is this restricted with APACHE?

Please advise

Thanks in advance.



Web: http://www.elemental.co.za

At 4:13 PM +0200 8/27/08, Angelo Zanetti wrote:
>Hi all,
>
>We have a site and we have created an admin section where the admin can
>upload documents.
>
>We have made a user login section where they can view a list of the
>documents (from the DB) and download the file.
>
>We want to make the site however not allow ppl to type in the path of the
>document and retrieve the file. How is this accomplished?
>
>Are the documents stored in a hidden / non-web accessible directory?
>
>Or is this restricted with APACHE?
>
>Please advise


Well...none of the above.

I would have a php script deliver the files and not allow the user to
see the path.

Here's an example:

http://php1.net/b/file-browser/index.php

It would be a simple matter not to show the path but rather just show
what's available to the user and then let the php script deliver the
product to the user via a common url, like the demo does.

In other words, the most that any user can get is the path to one
spot where your script deposits the file for download.

Cheers,

tedd

--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

Hello,

i saw that the end file always has the name test.zip (
http://php1.net/b/file-browser/index.php )

Are you zipping the file before outputing to the user ?

In that case, you are accomplishing the desired goal of hidding the path,
because the file changed but the path is always the same.

Am i right ?

On Wed, Aug 27, 2008 at 4:28 PM, tedd <tedd.sperling@gmail.com> wrote:

> At 4:13 PM +0200 8/27/08, Angelo Zanetti wrote:
>
>> Hi all,
>>
>> We have a site and we have created an admin section where the admin can
>> upload documents.
>>
>> We have made a user login section where they can view a list of the
>> documents (from the DB) and download the file.
>>
>> We want to make the site however not allow ppl to type in the path of the
>> document and retrieve the file. How is this accomplished?
>>
>> Are the documents stored in a hidden / non-web accessible directory?
>>
>> Or is this restricted with APACHE?
>>
>> Please advise
>>
>
>
> Well...none of the above.
>
> I would have a php script deliver the files and not allow the user to see
> the path.
>
> Here's an example:
>
> http://php1.net/b/file-browser/index.php
>
> It would be a simple matter not to show the path but rather just show
> what's available to the user and then let the php script deliver the product
> to the user via a common url, like the demo does.
>
> In other words, the most that any user can get is the path to one spot
> where your script deposits the file for download.
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


--

Com os melhores cumprimentos,

Tiago Palhota

Thanks for your reply.

But what happens if the file is situated here:

www.site.com/include/documents/file.doc


and someone knows that path file somehow or they get a program to crawl the
site. Then they would be able to get that file. How do we prevent that?

Thanks in advance.




-----Original Message-----
From: tedd [mailto:tedd.sperling@gmail.com]
Sent: 27 August 2008 17:29
To: php-general@lists.php.net
Subject: Re: [php] restricted file access

At 4:13 PM +0200 8/27/08, Angelo Zanetti wrote:
>Hi all,
>
>We have a site and we have created an admin section where the admin can
>upload documents.
>
>We have made a user login section where they can view a list of the
>documents (from the DB) and download the file.
>
>We want to make the site however not allow ppl to type in the path of the
>document and retrieve the file. How is this accomplished?
>
>Are the documents stored in a hidden / non-web accessible directory?
>
>Or is this restricted with APACHE?
>
>Please advise


Well...none of the above.

I would have a php script deliver the files and not allow the user to
see the path.

Here's an example:

http://php1.net/b/file-browser/index.php

It would be a simple matter not to show the path but rather just show
what's available to the user and then let the php script deliver the
product to the user via a common url, like the demo does.

In other words, the most that any user can get is the path to one
spot where your script deposits the file for download.

Cheers,

tedd

--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Through PHP you can access the filesystem, so the folder containing your
documents doesn't even have to be on the website.
I would do this way:
<A HREF="getfile.php?filename=something.doc">Click here</A>

And in the PHP file:

file_get_contents(DOCFOLDER . $_GET['filename'])

or something like this.

SanTa

----- Original Message -----
From: "Angelo Zanetti" <angelo@elemental.co.za>
To: "'tedd'" <tedd.sperling@gmail.com>; <php-general@lists.php.net>
Sent: Thursday, August 28, 2008 10:50 AM
Subject: RE: [php] restricted file access


> Thanks for your reply.
>
> But what happens if the file is situated here:
>
> www.site.com/include/documents/file.doc
>
>
> and someone knows that path file somehow or they get a program to crawl
> the
> site. Then they would be able to get that file. How do we prevent that?
>
> Thanks in advance.
>
>
>
>
> -----Original Message-----
> From: tedd [mailto:tedd.sperling@gmail.com]
> Sent: 27 August 2008 17:29
> To: php-general@lists.php.net
> Subject: Re: [php] restricted file access
>
> At 4:13 PM +0200 8/27/08, Angelo Zanetti wrote:
>>Hi all,
>>
>>We have a site and we have created an admin section where the admin can
>>upload documents.
>>
>>We have made a user login section where they can view a list of the
>>documents (from the DB) and download the file.
>>
>>We want to make the site however not allow ppl to type in the path of the
>>document and retrieve the file. How is this accomplished?
>>
>>Are the documents stored in a hidden / non-web accessible directory?
>>
>>Or is this restricted with APACHE?
>>
>>Please advise
>
>
> Well...none of the above.
>
> I would have a php script deliver the files and not allow the user to
> see the path.
>
> Here's an example:
>
> http://php1.net/b/file-browser/index.php
>
> It would be a simple matter not to show the path but rather just show
> what's available to the user and then let the php script deliver the
> product to the user via a common url, like the demo does.
>
> In other words, the most that any user can get is the path to one
> spot where your script deposits the file for download.
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

At 10:50 AM +0200 8/28/08, Angelo Zanetti wrote:
>Thanks for your reply.
>
>But what happens if the file is situated here:
>
>www.site.com/include/documents/file.doc
>
>
>and someone knows that path file somehow or they get a program to crawl the
>site. Then they would be able to get that file. How do we prevent that?

You don't!

But file.doc doesn't have to be anything either.

Try this:

http://sperling.com/file.doc -- you won't find anything there.

However, if I wanted something to be there for someone, I could put it there.

Understand?

Cheers,

tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

-----Original Message-----
From: tedd [mailto:tedd.sperling@gmail.com]
Sent: 28 August 2008 21:19
To: php-general@lists.php.net
Subject: RE: [php] restricted file access

At 10:50 AM +0200 8/28/08, Angelo Zanetti wrote:
>Thanks for your reply.
>
>But what happens if the file is situated here:
>
>www.site.com/include/documents/file.doc
>
>
>and someone knows that path file somehow or they get a program to crawl the
>site. Then they would be able to get that file. How do we prevent that?

You don't!

But file.doc doesn't have to be anything either.

Try this:

http://sperling.com/file.doc -- you won't find anything there.

However, if I wanted something to be there for someone, I could put it
there.

Understand?


//////////////////////////////////////////////

Hi guys

I put the documents outside the webroot. And just redirect to it using the
Headers and then the readfile() function.

Thanks
Angelo
http://www.elemental.co.za

Cheers,

tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php