Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

securing folder access and creatinginks to docs

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

securing folder access and creatinginks to docs

Postby thechinmaster » Sat Oct 01, 2011 6:29 pm

I am very new to PHP, but have been trying to research this for several weeks.

For security, can I create user folders named by User_ID (ie. users/user0001/) above the public_html folder, and is there an easy way to call that information using PHP?

So, if I want to allow user0001 to download the file "/users/user0001/123.pdf" how can I script this, bearing in mind that I want to use the same script for multiple User_ID's?

Hopefully this makes sense! If possible please please give me the absolute 'idiot proof guide'

....unless there is a better way of securing this information?
thechinmaster
New php-forum User
New php-forum User
 
Posts: 1
Joined: Sat Oct 01, 2011 6:24 pm

Re: securing folder access and creatinginks to docs

Postby TheProdigyGuy » Sat Jan 21, 2012 3:08 pm

Here is my algo:
1'st you have create database for your upload section(in ex: for storing uploaded file names,user id's,uploader ip's,timestamp,MD5 CHeck SUm of file)
2'nd lets say when new user joins as member (if all sanitization +validation successfull) automatically create
Code: Select all
/home/useruploads/randomUIDPath/randomUIDSaltedGarbageGoesHere/

then insert that path name to database with corresponding USER ID(unique)
And on the root level of that /home/useruploads/ folder you have create .htaccess
In ex:
Code: Select all
php_flag engine off
deny from all

First line will prevent of execution of any php script(code)
Second line will prevent any download like:(It is a bit secure+Antibrute of user files in any case aka Guess Attack with GET request)
In ex:
Code: Select all
http://yoursite.name/andomUIDPath/randomUIDSaltedGarbageGoesHere/somefile.extension


3'rd When user uploads files check check file extension+basename($ofuploadfile)
(do any sanitization +validation on file name)
If that uploaded successfully move it to user folder(You need to get it from database.table.USER_ID)
Write to database to that file name+Give to that Unique FIle ID+Check MD5 of that file on file system then insert to database it,IP address of uploader etc etc.)

Ok seems thats all with upload.

But how to download that files?
Instead of using file name when downloading that userfiles:
1'st check is downloader user authenticated on your system?(SESSION check)
2'nd make your download URL's like:
Code: Select all
http://mysite.name/download.php?uid=USERID&fileID=fromDatabaseUNIQUEID&md5checksum=MD5CHECKSUMOFCORRESPONDINGFILE


In ex:(This is snippet from my one project which i yet realised)

Code: Select all
if (!isset($_GET['getid']) || empty($_GET['getid']) || !isset($_GET['token']) || empty($_GET['token']))@header("Location: index.php");
if (!ctype_digit($_GET['getid']))@header("Location: index.php");
if (isset($_SESSION['user']) && isset($_GET['getid']) && !empty($_GET['getid']) && isset($_GET['token']) && !empty($_GET['token']))
{
    $fileiddown=(int)$_GET['getid'];
    $hash=mysql_real_escape_string(htmlspecialchars($_GET['token']));
    sanitize($hash,$die=1);
    if (strlen($hash) !==32)@header("Location: main.php?flist");
    //$fileiddown=(int)$_GET['getid'];//
    $getfromdir='./uploads/';
    sanitize($fileiddown,$die=1);
   
    $fetchfromgetparamname=@mysql_result(mysql_query("select `upl`.`fname` from `uploads` `upl` where `upl`.`id`='$fileiddown' AND `upl`.`md5sum`='$hash' order by `upl`.`id` desc limit 0,1"),0);
   if (!empty($fetchfromgetparamname))
   {
  $fetchfromgetparamname=str_ireplace('..','',str_ireplace('/','',$fetchfromgetparamname));
   @header('Content-Disposition: attachment; filename="'.$fetchfromgetparamname.'"');
   echo @file_get_contents($getfromdir.$fetchfromgetparamname);
   }
   else
   {
    die('<script>location.replace("?");</script>');
   }


If it is successfull:
Code: Select all
@header('Content-Disposition: attachment; filename="'.$fetchfromgetparamname.'"');
   echo @file_get_contents($getfromdir.$fetchfromgetparamname);



Using that FILEID will prevent you from traversal attacks!
It has really advantages.

This is possible and IMHO it is easy if you know what you are doing.

Sorry for late reply & sorry for Bumping old Thread)

Cheers
TheProdigyGuy
New php-forum User
New php-forum User
 
Posts: 215
Joined: Wed Dec 07, 2011 5:25 pm


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 1 guest

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.