securing folder access and creatinginks to docs

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: egami, macek, gesf

Post Reply
TheProdigyGuy
New php-forum User
New php-forum User
Posts: 215
Joined: Wed Dec 07, 2011 5:25 pm

Sat Jan 21, 2012 3:08 pm

Here is my algo:
1'st you have create database for your upload section(in ex: for storing uploaded file names,user id's,uploader ip's,timestamp,MD5 CHeck SUm of file)
2'nd lets say when new user joins as member (if all sanitization +validation successfull) automatically create

Code: Select all

/home/useruploads/randomUIDPath/randomUIDSaltedGarbageGoesHere/
then insert that path name to database with corresponding USER ID(unique)
And on the root level of that /home/useruploads/ folder you have create .htaccess
In ex:

Code: Select all

php_flag engine off
deny from all
First line will prevent of execution of any php script(code)
Second line will prevent any download like:(It is a bit secure+Antibrute of user files in any case aka Guess Attack with GET request)
In ex:

Code: Select all

http://yoursite.name/andomUIDPath/randomUIDSaltedGarbageGoesHere/somefile.extension
3'rd When user uploads files check check file extension+basename($ofuploadfile)
(do any sanitization +validation on file name)
If that uploaded successfully move it to user folder(You need to get it from database.table.USER_ID)
Write to database to that file name+Give to that Unique FIle ID+Check MD5 of that file on file system then insert to database it,IP address of uploader etc etc.)

Ok seems thats all with upload.

But how to download that files?
Instead of using file name when downloading that userfiles:
1'st check is downloader user authenticated on your system?(SESSION check)
2'nd make your download URL's like:

Code: Select all

http://mysite.name/download.php?uid=USERID&fileID=fromDatabaseUNIQUEID&md5checksum=MD5CHECKSUMOFCORRESPONDINGFILE
In ex:(This is snippet from my one project which i yet realised)

Code: Select all

if (!isset($_GET['getid']) || empty($_GET['getid']) || !isset($_GET['token']) || empty($_GET['token']))@header("Location: index.php");
if (!ctype_digit($_GET['getid']))@header("Location: index.php");
if (isset($_SESSION['user']) && isset($_GET['getid']) && !empty($_GET['getid']) && isset($_GET['token']) && !empty($_GET['token']))
{
    $fileiddown=(int)$_GET['getid'];
    $hash=mysql_real_escape_string(htmlspecialchars($_GET['token']));
    sanitize($hash,$die=1);
    if (strlen($hash) !==32)@header("Location: main.php?flist");
    //$fileiddown=(int)$_GET['getid'];//
    $getfromdir='./uploads/';
    sanitize($fileiddown,$die=1);
    
    $fetchfromgetparamname=@mysql_result(mysql_query("select `upl`.`fname` from `uploads` `upl` where `upl`.`id`='$fileiddown' AND `upl`.`md5sum`='$hash' order by `upl`.`id` desc limit 0,1"),0);
   if (!empty($fetchfromgetparamname))
   {
  $fetchfromgetparamname=str_ireplace('..','',str_ireplace('/','',$fetchfromgetparamname));
   @header('Content-Disposition: attachment; filename="'.$fetchfromgetparamname.'"');
   echo @file_get_contents($getfromdir.$fetchfromgetparamname);
   }
   else
   {
    die('<script>location.replace("?");</script>');
   }
If it is successfull:

Code: Select all

@header('Content-Disposition: attachment; filename="'.$fetchfromgetparamname.'"');
   echo @file_get_contents($getfromdir.$fetchfromgetparamname);

Using that FILEID will prevent you from traversal attacks!
It has really advantages.

This is possible and IMHO it is easy if you know what you are doing.

Sorry for late reply & sorry for Bumping old Thread)

Cheers

Post Reply
  • Information
  • Who is online

    Users browsing this forum: No registered users and 2 guests