Re: [PHP] Advice on maintaining public and private files
On 2/21/2010 9:11 AM, Kim Madsen wrote: Al wrote on 20/02/2010 19:30: I use Kim's solution and take it one step forward. Htacces files can get lost or corrupted, so No solution to that problem as I see it. In my config file I have the text string. I like the idea, but what if this file is never accessed? Generally my applications have Admins and Users. Admins visit every day or two; when they do, function checkHTaccessFile($htaccessText) gets called. It can also be called when Users visit, which is of course more often. This option is set in the config file. If someone is particularly concerned a cronjob to run every x hours will also work. This seems to me to be a bit of overkill. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
Al wrote on 20/02/2010 19:30: I use Kim's solution and take it one step forward. Htacces files can get lost or corrupted, so No solution to that problem as I see it. In my config file I have the text string. I like the idea, but what if this file is never accessed? -- Kind regards Kim Emax - masterminds.dk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
I use Kim's solution and take it one step forward. Htacces files can get lost or
corrupted, so
In my config file I have the text string.
//region htaccess file text
// Code writes to /db folder; Admin mode checks file existence and text;
replaces with this if different.
$htaccessText = <<
Order Deny,Allow
Deny from all
hta;
//endregion
In my main control file I call this function
/**
* checkHTaccessFile()
*
* Checks and restores htaccess Prevent Direct Access to MiniRegDB Program Files
*
* @param mixed $htaccessText in config file
* @return
*/
function checkHTaccessFile($htaccessText)
{
if(file_exists(MINIREG_DATA_DIR . '.htaccess') &&
file_get_contents(MINIREG_DATA_DIR . '.htaccess') == $htaccessText) return true;
file_put_contents(MINIREG_DATA_DIR . '.htaccess', $htaccessText);
return true;
}
On 2/20/2010 4:05 AM, Kim Madsen wrote:
Michael Stroh wrote on 19/02/2010 19:19:
I have a site I'm working on with some data that I want to be
readable by anyone, but some files that I want to keep hidden from
outside users. Here is an example of my file structure.
/products/data1/item_1/data.txt
> /products/data2/item_2/data.txt
since no one has suggested it then... if you're on an Apache webserver
use a .htaccess file in data2 which contains:
Deny from all
Allow from none
That will do the trick and PHP can still fetch the files in data2 and
serve it to the user.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
Kim Madsen wrote: > Michael Stroh wrote on 19/02/2010 19:19: >> I have a site I'm working on with some data that I want to be >> readable by anyone, but some files that I want to keep hidden from >> outside users. Here is an example of my file structure. >> >> /products/data1/item_1/data.txt >> /products/data2/item_2/data.txt > > since no one has suggested it then... if you're on an Apache webserver > use a .htaccess file in data2 which contains: > > Deny from all > Allow from none > > That will do the trick and PHP can still fetch the files in data2 and > serve it to the user. > Glad you said this; I'd been waiting to see if anybody would - certainly there is no quicker or easier way to solve this particular problem. Also worth adding that you can easily password protect the directories too using HTTP authorisation [1] (and even hook it in to LDAP or suchlike very simply). It's the curse of the PHP developer to try and use PHP to solve every problem - we all fall fowl of it often (I've wasted years doing things in PHP that really should have been done with a different tech). [1] http://httpd.apache.org/docs/2.0/howto/auth.html Regards! Nathan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
Michael Stroh wrote on 19/02/2010 19:19: I have a site I'm working on with some data that I want to be readable by anyone, but some files that I want to keep hidden from outside users. Here is an example of my file structure. /products/data1/item_1/data.txt > /products/data2/item_2/data.txt since no one has suggested it then... if you're on an Apache webserver use a .htaccess file in data2 which contains: Deny from all Allow from none That will do the trick and PHP can still fetch the files in data2 and serve it to the user. -- Kind regards Kim Emax - masterminds.dk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Advice on maintaining public and private files
From: Rene Veerman > the "proper way" i know of is not the easiest to implement..; > > 1) create a php script that accepts enough parameters to get at your data. > eg: /products/view.php?dataNr=1&itemNr=1 > 2) let that script compare the current user (visitor who's logged in) > to authentication data that tells which it if the user can access the > data requested. if it fails, you can route the user to a std page or > to a custom page (store in auth-data under "onFail") > 3) use apache's RewriteRule in /products/.htaccess to point virtual > urls to the view script; /products/data1/item_1/data.txt = > /products/view.php?dataNr=1&itemNr=1&file=data.txt (or something like > that). > > the main problem here is how to properly store authentication data. > how far to go depends on your (future) requirements. There are some easier tricks, but still not simple. Only the wrapper script should be in the webroot space. Everything else should be outside of it, but accessible by the user that the web server runs under. The wrapper also manages the session and any other access controls necessary, such as connections to a DB server. Once you parse the parameters from the URL, use require() or require_once() to link in the specific pages you need from outside webroot. This way none of the files or paths are exposed to the browser and nobody can get to those pages without going through the authentication in the wrapper. You can even pull in more than one, so there could be one file for the banner, one for the menu tree on the left column, one for a header, one for the page specific content and one for the footer. It makes global updates relatively easy, but can be a pain to get started. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
1 more thing: doing this right isn't easy. at all. it took me more than a year to "do it properly". you may wanna look around on sf.net for any package that can do this for you. On Fri, Feb 19, 2010 at 7:19 PM, Michael Stroh wrote: > I have a site I'm working on with some data that I want to be readable by > anyone, but some files that I want to keep hidden from outside users. Here is > an example of my file structure. > > /products/data1/item_1/data.txt > /products/data2/item_2/data.txt > > I would like everything in data1 to be available by anyone who visits the > site, but I want to keep items in the data2 folder to only be accessible > through certain web page which I hope to eventually require logins. Some of > these items I'd like to not only display but also allow people to download. > > My main concern is that I don't want people to be able to guess the names of > the files and then be able to access the information on them. Every 'item' > has an entry in a MySQL database which holds some information. I was thinking > I could have randomly generated folder names to take the place of the things > like 'item_2' such as > > /products/data2/kl23j42i/data.txt > > and then link the folder name through a database entry. But I'm not sure if > there are more elegant or easier ways to deal with this. Plus someone could > still just try randomly querying the site until they get a match. I'd first > like to just create a web page where you can go to access the hidden files > but would later like to add more control for other users using logins and > passwords. > > Most of my files are just text files and images. Any suggestions? > > Thanks in advance! > > Michael > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
As far as storing the files, use a seperate subdirectory called "rawData" or something, and place all your files in there, aim for 10 - 5000 files per directory, and keep it logical. But since you want to stop guessers from accessing it, use a randomID() function that you create to generate a random subdirectory under "rawData". You could also use just the -MM-DD HH-MM-SS of the submit/upload-date for the file or the last-modification date of the file. Then create something that maps IDs (dataNr, itemNr, fileID) to the relative path under "rawData". Then let view.php readfile() and output the requested file, instead of sending any link to your "rawData"-subdirectory-location to the browser. It should be airtight then. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
the "proper way" i know of is not the easiest to implement..; 1) create a php script that accepts enough parameters to get at your data. eg: /products/view.php?dataNr=1&itemNr=1 2) let that script compare the current user (visitor who's logged in) to authentication data that tells which it if the user can access the data requested. if it fails, you can route the user to a std page or to a custom page (store in auth-data under "onFail") 3) use apache's RewriteRule in /products/.htaccess to point virtual urls to the view script; /products/data1/item_1/data.txt = /products/view.php?dataNr=1&itemNr=1&file=data.txt (or something like that). the main problem here is how to properly store authentication data. how far to go depends on your (future) requirements. for my cms i went all the way and copied the unix filesystem permission architecture (incl the concept of users in groups) to work from mysql on an object-cloud (mapped to any "path(s)" elsewhere). but you can just as easilly just map userIDs to array records containing the keys that view.php works on. sorta like: global $permissions; $permissions = array ( 100 => array( array ( dataNr => 1, itemNr => 1, fileID => 'data.txt', mayRead => true, mayWrite => false ), (...other objects user 100 has permissions for...) userID => permissionsList ); you could use username instead of userid even, but i recommend against that if you're going to store user-definition records in a db, of course. On Fri, Feb 19, 2010 at 7:19 PM, Michael Stroh wrote: > I have a site I'm working on with some data that I want to be readable by > anyone, but some files that I want to keep hidden from outside users. Here is > an example of my file structure. > > /products/data1/item_1/data.txt > /products/data2/item_2/data.txt > > I would like everything in data1 to be available by anyone who visits the > site, but I want to keep items in the data2 folder to only be accessible > through certain web page which I hope to eventually require logins. Some of > these items I'd like to not only display but also allow people to download. > > My main concern is that I don't want people to be able to guess the names of > the files and then be able to access the information on them. Every 'item' > has an entry in a MySQL database which holds some information. I was thinking > I could have randomly generated folder names to take the place of the things > like 'item_2' such as > > /products/data2/kl23j42i/data.txt > > and then link the folder name through a database entry. But I'm not sure if > there are more elegant or easier ways to deal with this. Plus someone could > still just try randomly querying the site until they get a match. I'd first > like to just create a web page where you can go to access the hidden files > but would later like to add more control for other users using logins and > passwords. > > Most of my files are just text files and images. Any suggestions? > > Thanks in advance! > > Michael > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice on maintaining public and private files
On Fri, Feb 19, 2010 at 1:19 PM, Michael Stroh wrote: > I have a site I'm working on with some data that I want to be readable by > anyone, but some files that I want to keep hidden from outside users. Here is > an example of my file structure. > > /products/data1/item_1/data.txt > /products/data2/item_2/data.txt > > I would like everything in data1 to be available by anyone who visits the > site, but I want to keep items in the data2 folder to only be accessible > through certain web page which I hope to eventually require logins. Some of > these items I'd like to not only display but also allow people to download. > > My main concern is that I don't want people to be able to guess the names of > the files and then be able to access the information on them. Every 'item' > has an entry in a MySQL database which holds some information. I was thinking > I could have randomly generated folder names to take the place of the things > like 'item_2' such as > > /products/data2/kl23j42i/data.txt > > and then link the folder name through a database entry. But I'm not sure if > there are more elegant or easier ways to deal with this. Plus someone could > still just try randomly querying the site until they get a match. I'd first > like to just create a web page where you can go to access the hidden files > but would later like to add more control for other users using logins and > passwords. > > Most of my files are just text files and images. Any suggestions? > > Thanks in advance! > > Michael > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Place all those files above the web root, the use php to read in the data from the files when display that data to the user. -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
