Re: [PHP] Preventing Access to Private Files
At 4:24 PM -0400 9/6/07, TG wrote: The web server software has access to certain directories, but PHP itself can have access to things outside the main web folders. That's good advice, but what do you do when safe_mode is ON? My experience is that PHP can't access folders out of the web root. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing Access to Private Files
tedd wrote: At 4:24 PM -0400 9/6/07, TG wrote: The web server software has access to certain directories, but PHP itself can have access to things outside the main web folders. That's good advice, but what do you do when safe_mode is ON? My experience is that PHP can't access folders out of the web root. Safe-mode shouldn't affect this particular problem, but open_basedir would. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing Access to Private Files
On 9/6/07, Stephen [EMAIL PROTECTED] wrote:
I understand how to use PHP with MySQL to have a
members table to validate passwords. And to limit the
generation of member pages to members only.
But what about photographs? If someone knows the
complete URL they could view it directly, unless the
directory is protected using .htpassword
But I don't want to have passwords in two places, nor
muck with the password file everytime a new member
joins.
you could use a PHP wrapper file, and do something like:
if(is logged in and has rights) {
passthru('file.jpg')
} else {
header(location: somewhere else);
exit();
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing Access to Private Files
You could use PHP to read the file and send the proper image format header. Your URL might look something like this: http://www.yoursite.com/image.php?id=234 If you're worried about people hotlinking it in web forums or something, you can research 'hotlink protection'. There's a million ways you could do it. I don't know what the best common practice is, but it could involve something in the URL that indicates the ID # of the image plus a date/time so if someone tried to use the link more than like 10 seconds after the link was generated, it wouldn't load. example: http://www.yoursite.com/image.php?id=20070909150523234 So if someone tried to access the link after Sept 9, 2007, 3:05pm and 23 seconds (+/- like 10 sec maybe) using the image id 234, it would fail. You could encode that number so it wasn't so obvious what it was. You could also maybe look at the REFERRER to see what page linked to the image and if it's not one of your pages, block it. Also, a common practice for using files without them being publicly accessible (outside the web server) would be to store the files in a path that's not available to the web server. For example, if you have your files in: /somepath/webroot/ /somepath/webroot/images(for common public things like buttons, banner graphics, etc) /somepath/webroot/docs (for public documents like PDFs or something you want people to be able to download easily) Store sensitive files in: /somepath/includes (included/required files that may contain stuff like database passwords and such) /somepath/photos (photos you don't want publicly available to be direct linked as you describe) The web server software has access to certain directories, but PHP itself can have access to things outside the main web folders. Just some thoughts. Good luck! -TG - Original Message - From: Stephen [EMAIL PROTECTED] To: php-general@lists.php.net Date: Thu, 6 Sep 2007 16:03:52 -0400 (EDT) Subject: [PHP] Preventing Access to Private Files I understand how to use PHP with MySQL to have a members table to validate passwords. And to limit the generation of member pages to members only. But what about photographs? If someone knows the complete URL they could view it directly, unless the directory is protected using .htpassword But I don't want to have passwords in two places, nor muck with the password file everytime a new member joins. Suggestions? Thanks Stephen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Preventing Access to Private Files
-Original Message- From: Stephen [mailto:[EMAIL PROTECTED] Sent: Thursday, September 06, 2007 1:04 PM To: php-general@lists.php.net Subject: [PHP] Preventing Access to Private Files I understand how to use PHP with MySQL to have a members table to validate passwords. And to limit the generation of member pages to members only. But what about photographs? If someone knows the complete URL they could view it directly, unless the directory is protected using .htpassword But I don't want to have passwords in two places, nor muck with the password file everytime a new member joins. Suggestions? Thanks Stephen http://modauthmysql.sourceforge.net/ Pretty much the greatest plugin ever invented for Apache. I use it religiously. Then you can have both methods sharing the same db table and it's seemless and WAY more secure than trying to do some 'index.php' or 'header' tricks... Basically add something like this to your apache vhost_foo.conf file: Directory /home/foo/public_html/admin Options All +Includes AllowOverride None AuthName My Private Admin Stuff AuthType Basic require valid-user AuthMySQLHost localhost AuthMySQLDB mydatabase AuthMySQLUser mydbuser AuthMySQLPassword mydbpass AuthMySQLPwEncryption sha1 AuthMySQLUserTableusers AuthMySQLNameFieldusername AuthMySQLPasswordFieldpassword AuthMySQLUserConditiontype = 'Admin' AND enabled = 1 /Directory That last AuthMySQLUserCondition is the most useful addition. Also take a look at this, for some additional ideas in making your login look more professional than just some form fields on a web page... http://www.php.net/manual/en/features.http-auth.php You can combine all three methods and chicks will love you like no other... D.Vin http://daevid.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Preventing Access to Private Files
I understand how to use PHP with MySQL to have a members table to validate passwords. And to limit the generation of member pages to members only. But what about photographs? If someone knows the complete URL they could view it directly, unless the directory is protected using .htpassword But I don't want to have passwords in two places, nor muck with the password file everytime a new member joins. Suggestions? Thanks Stephen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Preventing Access to Private Files
Depends on your host I guess. Some hosts give you an entire Virtual Machine with root access. It depends on your distro too. But usually it's in /etc/apache... If you don't have direct access, you will have to talk to them about if mod_auth_mysql is installed and have them setup for you. If it's installed, you could also do the .htaccess route, but that's not as elegant. d -Original Message- From: tedd [mailto:[EMAIL PROTECTED] Sent: Thursday, September 06, 2007 5:02 PM To: Daevid Vincent; php-general@lists.php.net Subject: RE: [PHP] Preventing Access to Private Files At 1:15 PM -0700 9/6/07, Daevid Vincent wrote: Basically add something like this to your apache vhost_foo.conf file: Where's that? I'm on a hosted server -- is that something that I can get to? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Preventing Access to Private Files
Daevid Vincent wrote: Depends on your host I guess. Some hosts give you an entire Virtual Machine with root access. It depends on your distro too. But usually it's in /etc/apache... If you don't have direct access, you will have to talk to them about if mod_auth_mysql is installed and have them setup for you. If it's installed, you could also do the .htaccess route, but that's not as elegant. You can see if the module is installed with phpinfo() (under the apache section). brina -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Preventing Access to Private Files
At 1:15 PM -0700 9/6/07, Daevid Vincent wrote: Basically add something like this to your apache vhost_foo.conf file: Where's that? I'm on a hosted server -- is that something that I can get to? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
