[PHP] [SOLVED]RE: [PHP] restricted file access
-Original Message- From: tedd [mailto:[EMAIL PROTECTED] Sent: 28 August 2008 21:19 To: php-general@lists.php.net Subject: RE: [PHP] restricted file access At 10:50 AM +0200 8/28/08, Angelo Zanetti wrote: Thanks for your reply. But what happens if the file is situated here: www.site.com/include/documents/file.doc and someone knows that path file somehow or they get a program to crawl the site. Then they would be able to get that file. How do we prevent that? You don't! But file.doc doesn't have to be anything either. Try this: http://sperling.com/file.doc -- you won't find anything there. However, if I wanted something to be there for someone, I could put it there. Understand? // Hi guys I put the documents outside the webroot. And just redirect to it using the Headers and then the readfile() function. Thanks Angelo http://www.elemental.co.za Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] restricted file access
Thanks for your reply. But what happens if the file is situated here: www.site.com/include/documents/file.doc and someone knows that path file somehow or they get a program to crawl the site. Then they would be able to get that file. How do we prevent that? Thanks in advance. -Original Message- From: tedd [mailto:[EMAIL PROTECTED] Sent: 27 August 2008 17:29 To: php-general@lists.php.net Subject: Re: [PHP] restricted file access At 4:13 PM +0200 8/27/08, Angelo Zanetti wrote: Hi all, We have a site and we have created an admin section where the admin can upload documents. We have made a user login section where they can view a list of the documents (from the DB) and download the file. We want to make the site however not allow ppl to type in the path of the document and retrieve the file. How is this accomplished? Are the documents stored in a hidden / non-web accessible directory? Or is this restricted with APACHE? Please advise Well...none of the above. I would have a php script deliver the files and not allow the user to see the path. Here's an example: http://php1.net/b/file-browser/index.php It would be a simple matter not to show the path but rather just show what's available to the user and then let the php script deliver the product to the user via a common url, like the demo does. In other words, the most that any user can get is the path to one spot where your script deposits the file for download. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] restricted file access
Through PHP you can access the filesystem, so the folder containing your documents doesn't even have to be on the website. I would do this way: A HREF=getfile.php?filename=something.docClick here/A And in the PHP file: file_get_contents(DOCFOLDER . $_GET['filename']) or something like this. SanTa - Original Message - From: Angelo Zanetti [EMAIL PROTECTED] To: 'tedd' [EMAIL PROTECTED]; php-general@lists.php.net Sent: Thursday, August 28, 2008 10:50 AM Subject: RE: [PHP] restricted file access Thanks for your reply. But what happens if the file is situated here: www.site.com/include/documents/file.doc and someone knows that path file somehow or they get a program to crawl the site. Then they would be able to get that file. How do we prevent that? Thanks in advance. -Original Message- From: tedd [mailto:[EMAIL PROTECTED] Sent: 27 August 2008 17:29 To: php-general@lists.php.net Subject: Re: [PHP] restricted file access At 4:13 PM +0200 8/27/08, Angelo Zanetti wrote: Hi all, We have a site and we have created an admin section where the admin can upload documents. We have made a user login section where they can view a list of the documents (from the DB) and download the file. We want to make the site however not allow ppl to type in the path of the document and retrieve the file. How is this accomplished? Are the documents stored in a hidden / non-web accessible directory? Or is this restricted with APACHE? Please advise Well...none of the above. I would have a php script deliver the files and not allow the user to see the path. Here's an example: http://php1.net/b/file-browser/index.php It would be a simple matter not to show the path but rather just show what's available to the user and then let the php script deliver the product to the user via a common url, like the demo does. In other words, the most that any user can get is the path to one spot where your script deposits the file for download. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] restricted file access
At 10:50 AM +0200 8/28/08, Angelo Zanetti wrote: Thanks for your reply. But what happens if the file is situated here: www.site.com/include/documents/file.doc and someone knows that path file somehow or they get a program to crawl the site. Then they would be able to get that file. How do we prevent that? You don't! But file.doc doesn't have to be anything either. Try this: http://sperling.com/file.doc -- you won't find anything there. However, if I wanted something to be there for someone, I could put it there. Understand? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] restricted file access
Hi all, We have a site and we have created an admin section where the admin can upload documents. We have made a user login section where they can view a list of the documents (from the DB) and download the file. We want to make the site however not allow ppl to type in the path of the document and retrieve the file. How is this accomplished? Are the documents stored in a hidden / non-web accessible directory? Or is this restricted with APACHE? Please advise Thanks in advance. Web: http://www.elemental.co.za -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] restricted file access
At 4:13 PM +0200 8/27/08, Angelo Zanetti wrote: Hi all, We have a site and we have created an admin section where the admin can upload documents. We have made a user login section where they can view a list of the documents (from the DB) and download the file. We want to make the site however not allow ppl to type in the path of the document and retrieve the file. How is this accomplished? Are the documents stored in a hidden / non-web accessible directory? Or is this restricted with APACHE? Please advise Well...none of the above. I would have a php script deliver the files and not allow the user to see the path. Here's an example: http://php1.net/b/file-browser/index.php It would be a simple matter not to show the path but rather just show what's available to the user and then let the php script deliver the product to the user via a common url, like the demo does. In other words, the most that any user can get is the path to one spot where your script deposits the file for download. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] restricted file access
Hello, i saw that the end file always has the name test.zip ( http://php1.net/b/file-browser/index.php ) Are you zipping the file before outputing to the user ? In that case, you are accomplishing the desired goal of hidding the path, because the file changed but the path is always the same. Am i right ? On Wed, Aug 27, 2008 at 4:28 PM, tedd [EMAIL PROTECTED] wrote: At 4:13 PM +0200 8/27/08, Angelo Zanetti wrote: Hi all, We have a site and we have created an admin section where the admin can upload documents. We have made a user login section where they can view a list of the documents (from the DB) and download the file. We want to make the site however not allow ppl to type in the path of the document and retrieve the file. How is this accomplished? Are the documents stored in a hidden / non-web accessible directory? Or is this restricted with APACHE? Please advise Well...none of the above. I would have a php script deliver the files and not allow the user to see the path. Here's an example: http://php1.net/b/file-browser/index.php It would be a simple matter not to show the path but rather just show what's available to the user and then let the php script deliver the product to the user via a common url, like the demo does. In other words, the most that any user can get is the path to one spot where your script deposits the file for download. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Com os melhores cumprimentos, Tiago Palhota
