Professional Web Applications Themes

Hiding File URLs? - PHP Development

I found this interesting and went on research: [url]http://be.php.net/manual/en/function.symlink.php[/url] In the comments: "olszewski_marek at yahoo dot com 04-Dec-2000 03:54" Has your solution. David T. Ashley wrote: > Hi, > > How can I hide the "origin" of a file so that a user can't get to it > except for through PHP? Here is the scenario: > > I have an issues database where with each issue a user might attach > relevant files. A typical file might be a .PDF or .ZIP file. These > files would be uploaded to the server via POST, under PHP control. > > ...

  1. #1

    Default Re: Hiding File URLs?

    I found this interesting and went on research:
    [url]http://be.php.net/manual/en/function.symlink.php[/url]
    In the comments:
    "olszewski_marek at yahoo dot com
    04-Dec-2000 03:54"
    Has your solution.

    David T. Ashley wrote:
    > Hi,
    >
    > How can I hide the "origin" of a file so that a user can't get to it
    > except for through PHP? Here is the scenario:
    >
    > I have an issues database where with each issue a user might attach
    > relevant files. A typical file might be a .PDF or .ZIP file. These
    > files would be uploaded to the server via POST, under PHP control.
    >
    > To store the files, the mechanism I had in mind was to use two prime
    > numbers to hash the file down into a directory based on a database
    > index (for performance reasons), so a file myfile.pdf might be at this
    > location:
    >
    > /var/www/htdocs/files/21/97/myfile.pdf
    >
    > I would envision that the entire directory structure /var/www/htdocs
    > and below is visible to an Apache server.
    >
    > Uploading is easy, but ...
    >
    > When a user retrieves the file, a database would present a hyperlink
    > to him with the link [url]http://whateverdomain/files/21/97/myfile.pdf[/url].
    >
    > The problem is that even after the user is done retrieving the file
    > via a link presented to him, he can still get to that file later
    > directly using the URL. He can also "fish" around in the directory
    > structure and perhaps find files that he should not view.
    >
    > What is the best way to present files (with information stored in a
    > MySQL database) so that the user can get to files only at the time the
    > download link is presented to him and also only those files!
    >
    > Thanks, Dave.
    Glen Vermeylen Guest

  2. #2

    Default Re: Hiding File URLs?

    But what if you have huge files, won't they slow down your server?
    And isn't the download-time of the file then limited to the
    maximum-execution-time of a php-script?

    Ian.H [dS] wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Whilst lounging around on 5 Aug 2003 08:23:11 -0700,
    > [email]dtashleyesrg.org[/email] (David T. Ashley) amazingly managed to produce the
    > following with their Etch-A-Sketch:
    >
    >
    >>Hi,
    >>
    >>How can I hide the "origin" of a file so that a user can't get to
    >>it except for through PHP? Here is the scenario:
    >>
    >>I have an issues database where with each issue a user might attach
    >>relevant files. A typical file might be a .PDF or .ZIP file.
    >>These files would be uploaded to the server via POST, under PHP
    >>control.
    >>
    >>To store the files, the mechanism I had in mind was to use two
    >>prime numbers to hash the file down into a directory based on a
    >>database index (for performance reasons), so a file myfile.pdf
    >>might be at this location:
    >>
    >>/var/www/htdocs/files/21/97/myfile.pdf
    >>
    >>I would envision that the entire directory structure
    >>/var/www/htdocs and below is visible to an Apache server.
    >>
    >>Uploading is easy, but ...
    >>
    >>When a user retrieves the file, a database would present a
    >>hyperlink to him with the link
    >>[url]http://whateverdomain/files/21/97/myfile.pdf[/url].
    >>
    >>The problem is that even after the user is done retrieving the file
    >>via a link presented to him, he can still get to that file later
    >>directly using the URL. He can also "fish" around in the directory
    >>structure and perhaps find files that he should not view.
    >>
    >>What is the best way to present files (with information stored in a
    >>MySQL database) so that the user can get to files only at the time
    >>the download link is presented to him and also only those files!
    >>
    >>Thanks, Dave.
    >
    >
    >
    > Store the files outside of the Web accessible directory, read the
    > file and send with the relevant mime-type header.
    >
    > I've just implementing / implemented this as a phpBB mod on a forum..
    > although I have user definable mime-types in mysql, you could
    > hardcode these according to the file extension. Then the only way
    > someone could attempt to get it would be as
    > yourdomain.com/../files/foo.pdf which wouldn't work as the docroot
    > would prevent it.. but your PHP script can read from that dir and
    > present the file to the user so that the URL would have to be
    > yourdomain.com/dload.php?id=1 for example.. nothing else would work.
    > You also have some control then as to whom has access too (could be
    > limited to members only for example if that's how your site is run
    > etc).
    >
    >
    > HTH.
    >
    >
    >
    > Regards,
    >
    > Ian
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGP 8.0
    >
    > iQA/AwUBPy/WIWfqtj251CDhEQL+3ACgpMDn8HJzQDvpjclOPe5vmcejMfYAm gKO
    > hzuWJbfxE3pUnQWbgpXF7CWE
    > =QEwi
    > -----END PGP SIGNATURE-----
    >
    Glen Vermeylen Guest

Similar Threads

  1. Finding video-file URLs in decompiled Flash video
    By ashenfelder in forum Macromedia Flash Data Integration
    Replies: 0
    Last Post: February 27th, 01:45 PM
  2. newbie - hiding a flash file location
    By Promar93 in forum Macromedia Flash Data Integration
    Replies: 0
    Last Post: June 21st, 03:18 PM
  3. dynamic URLS convert to static URLS for search engines
    By Steve T. in forum ASP.NET Web Services
    Replies: 7
    Last Post: March 4th, 03:16 PM
  4. Different urls to same ws?
    By Jukka Kenttälä in forum ASP.NET Web Services
    Replies: 1
    Last Post: January 8th, 08:26 AM
  5. transferring variable / hiding php-file
    By Mikko in forum PHP Development
    Replies: 0
    Last Post: October 14th, 11:33 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139