securing folder access and creatinginks to docs

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

thechinmaster
New php-forum User
New php-forum User
Posts: 1
Joined: Sat Oct 01, 2011 6:24 pm

securing folder access and creatinginks to docs

Postby thechinmaster » Sat Oct 01, 2011 6:29 pm

I am very new to PHP, but have been trying to research this for several weeks.

For security, can I create user folders named by User_ID (ie. users/user0001/) above the public_html folder, and is there an easy way to call that information using PHP?

So, if I want to allow user0001 to download the file "/users/user0001/123.pdf" how can I script this, bearing in mind that I want to use the same script for multiple User_ID's?

Hopefully this makes sense! If possible please please give me the absolute 'idiot proof guide'

....unless there is a better way of securing this information?

TheProdigyGuy
New php-forum User
New php-forum User
Posts: 215
Joined: Wed Dec 07, 2011 5:25 pm

Re: securing folder access and creatinginks to docs

Postby TheProdigyGuy » Sat Jan 21, 2012 3:08 pm

Here is my algo:
1'st you have create database for your upload section(in ex: for storing uploaded file names,user id's,uploader ip's,timestamp,MD5 CHeck SUm of file)
2'nd lets say when new user joins as member (if all sanitization +validation successfull) automatically create

Code: Select all

/home/useruploads/randomUIDPath/randomUIDSaltedGarbageGoesHere/

then insert that path name to database with corresponding USER ID(unique)
And on the root level of that /home/useruploads/ folder you have create .htaccess
In ex:

Code: Select all

php_flag engine off
deny from all

First line will prevent of execution of any php script(code)
Second line will prevent any download like:(It is a bit secure+Antibrute of user files in any case aka Guess Attack with GET request)
In ex:

Code: Select all

http://yoursite.name/andomUIDPath/randomUIDSaltedGarbageGoesHere/somefile.extension


3'rd When user uploads files check check file extension+basename($ofuploadfile)
(do any sanitization +validation on file name)
If that uploaded successfully move it to user folder(You need to get it from database.table.USER_ID)
Write to database to that file name+Give to that Unique FIle ID+Check MD5 of that file on file system then insert to database it,IP address of uploader etc etc.)

Ok seems thats all with upload.

But how to download that files?
Instead of using file name when downloading that userfiles:
1'st check is downloader user authenticated on your system?(SESSION check)
2'nd make your download URL's like:

Code: Select all

http://mysite.name/download.php?uid=USERID&fileID=fromDatabaseUNIQUEID&md5checksum=MD5CHECKSUMOFCORRESPONDINGFILE


In ex:(This is snippet from my one project which i yet realised)

Code: Select all

if (!isset($_GET['getid']) || empty($_GET['getid']) || !isset($_GET['token']) || empty($_GET['token']))@header("Location: index.php");
if (!ctype_digit($_GET['getid']))@header("Location: index.php");
if (isset($_SESSION['user']) && isset($_GET['getid']) && !empty($_GET['getid']) && isset($_GET['token']) && !empty($_GET['token']))
{
    $fileiddown=(int)$_GET['getid'];
    $hash=mysql_real_escape_string(htmlspecialchars($_GET['token']));
    sanitize($hash,$die=1);
    if (strlen($hash) !==32)@header("Location: main.php?flist");
    //$fileiddown=(int)$_GET['getid'];//
    $getfromdir='./uploads/';
    sanitize($fileiddown,$die=1);
   
    $fetchfromgetparamname=@mysql_result(mysql_query("select `upl`.`fname` from `uploads` `upl` where `upl`.`id`='$fileiddown' AND `upl`.`md5sum`='$hash' order by `upl`.`id` desc limit 0,1"),0);
   if (!empty($fetchfromgetparamname))
   {
  $fetchfromgetparamname=str_ireplace('..','',str_ireplace('/','',$fetchfromgetparamname));
   @header('Content-Disposition: attachment; filename="'.$fetchfromgetparamname.'"');
   echo @file_get_contents($getfromdir.$fetchfromgetparamname);
   }
   else
   {
    die('<script>location.replace("?");</script>');
   }


If it is successfull:

Code: Select all

@header('Content-Disposition: attachment; filename="'.$fetchfromgetparamname.'"');
   echo @file_get_contents($getfromdir.$fetchfromgetparamname);



Using that FILEID will prevent you from traversal attacks!
It has really advantages.

This is possible and IMHO it is easy if you know what you are doing.

Sorry for late reply & sorry for Bumping old Thread)

Cheers


Return to “PHP & MySQL Security”

Who is online

Users browsing this forum: No registered users and 1 guest