So I've built a form that lets users to upload files (within an extensions whitelist) to random-named directories, under another directory in root. The random name, for tech reasons, for now it's written down in the html page, but visible in code only while the page exists. If the user refreshes the page, the name will change. Only the random dir name itself is visible, not the entire upload in itpath.
data-name="<?php echo uniqidReal(); ?>" // outputs like 'd91806dbde743568'
That name is then used by php to create the dir where the files will be saved, something like https://www.acme.com/mydir/d91806dbde743568/file.mp3. That entire url will be then send once to the receiver of the form.
The 'mydir' contents are under -Indexes, so no way for anyone to guess the name of the random named dirs in it.
Now my question: is that enough to avoid security issues? Could one, for example, upload a masked file that contains some malicious code that once uploaded can read the dirs and send them back informations or do something else?
Should I strengthen the security level in some other way?
This is not the best way, because the name of a folder can have characters like ../
It seems to me better to create a random folder on the server without receiving data from the user
Related
My question is about HTML and PHP.
This is my setup right now:
A website where user have accounts
A FTP server with pictures (currently none)
Files are currently saved on the website in the "PICTURES" folder (which is accessible by everybody who know the full URL)
So, I would like to know how I can display the images without storing them on the website (which will fix my URL problem).
My idea was to move the files on the FTP server, and when a users logon and request a page with those images, download them through a FTP connection, save them on the website, display the images, and remove them. Which would make them accessible only between the downloading time. But this solutions sounds REALLY bad to me.
You need always to have a place where your images are stored. But, if you don't want to give a user the chance to know where are stored, you can create a system which is used to show the images.
Think about this, if you want to download a file from Mega, you can't access to the URL where the file is stored, instead of that, the server itselfs calls a system who assign you a "key" and you can download the file only through that system using your "key".
You could use a system like "base64" so you can encode your image, and show it using it, or, you can use the "header" modifier so, you can display an image using a PHP code.
For example your image tag will be like:
<img src="processImage.php?id=01&user=10&key=123" />
So, your processImage will return a "tricky" image, actually not the image, but the code processed by PHP will be returned, like using "imagejpg()" function with the header "Content-Type:image/jpeg" and then the user will not know where the image is stored actually but the img will works actually.
I'm using the latest Codeigniter version, and I write a program about basic file uploading and download helper in http://ellislab.com/codeigniter%20/user-guide/helpers/download_helper.html.
I want to create a system that will upload a multiple files to the directory and save the file name to the database and the name of the uploader, and will have function to have download links to download every file of that specific user. If possible the system can email the encrypted link to the users to download the file. And can only download for specific time..
I don't know the logic in dynamic files to download. Can someone teach how to do this or what logic can solve this problem. Thank you very much! :)
For multiple files you have some alternatives, you can create each field as a user press a button or use the multiple propriety to <input> tag.
To manage this multiple uploads you must create your own upload library reading each $_FILES['nameoffield'] in a foreach loop for example although there are alternatives ready to be used like: https://github.com/nicdev/CodeIgniter-Multiple-File-Upload
On your database, you could have two fields that stores the original file name and path, and the encrypted one. Probably associated to a random unique number or timestamp.
To email encrypted link, and by encrypted I think you are saying a disguised link to the file, not using original name, you simple select the field which store the encrypted name to a controller, like download and keep a variable to receive a value as parameter. This value you must check on database if it really exists and then redirect to the file. By doing that you should have your file being downloaded.
I've been searching for a good 3 hours, and I'm stumped on how to do something I think is pretty simple (famous last words...)
Basically, I'm building a site that allows the user to upload a pdf file. The URL of this file is stored in a database, along with the name and a few other details. I am trying to work out how to either:
-Provide an "upload" box/button/area that a user can select a file, upload it, and then have the URL of where the file was uploaded stored in a database.
OR
-Use a separate upload script, and have the user upload the file. Then, (on a possibly separate page, I don't mind) provide a file browser, which would allow the user to browse a directory, and select a file, with the url of that file passed through to the PHP form.
I don't mind which way it is done, as long as the desired outcome of having a file uploaded and the url added to a database.
Or am I out of the reach of PHP? Is my best bet uploading files via a bare php uploader, then manually entering the url of the file uploaded into a textbox on a php form?
Any help is much appreciated!
create a htmlform, make sure to set enctype to a value of
"multipart/form-data"
in PHP you should be able to get the file namefrom the $_FILE global variable
save it to a directory on the server.
the url of your document will we http://serverroot/{directory name}/filename.pdf -> directory name is the name of the directory on the serve you saved the file in
I have a multi-step form in which i have to choose an image in step 3 and have to pass the image directory or path as a session in another input field in step 4 before submitting form.How I can pass the image path to finally keep it in database??Please Help !( PHP & Mysql)
You can't. There is no way to know where on the user's hard drive a file is stored, let alone a way to go and get it from the web browser (imagine if I made a website that went after your windows directory files; even your password files -- there are obvious security reasons why web browsers don't allow this).
What you can do is upload the image, then use info stored in $_FILES to temporarily track where the file is located on the server, and at final submission do whatever you need to do with it.
I've found several answers to this question, but each case was different from mine. Before I spend hours implementing what I think will work, I'd like to get an opinion or two. Who knows, there may be an easier solution that will benefit someone else too!
I'm in the process of creating a website which provides a photo modification service. Each of my customers will be uploading their photos using a modified version of a jQuery/PHP upload script I found on Github (BlueImp's File Upload script- props BlueImp!) When each image is done uploading, a thumbnail of the image is displayed next to the image's filename.
The upload page creates a folder based on their Order #, and a thumbnail subfolder where the images are stored. For example, for Order # 12345:
/uploads/12345 <- Folder where the uploaded images will go
/uploads/12345/thumbs <- Folder where thumbnails will be served from
It's important that clients don't access other clients' photos. I moved the uploads folder outside of my website root, but then the thumbnails weren't displaying when the images finished uploading because, well, they weren't in the website root so the links weren't working.
Here's a solution I thought of:
Separate the folders. Move the main upload folder outside of the document root, but leave the thumbnail folder inside the doc root, so the thumbnails can be served up when each upload completes. When the user has finished uploading their images, delete the thumbnail folder corresponding to that Order #.
Is there a better way to do it? My concern is preventing access to photos (A client will only have to upload them once, then wait for us to finish the modifications. They will NOT have to log back in to download them.) I don't want someone to be able to access the upload folder via the address bar or anywhere else. Can I use an .htaccess file to restrict access, but still allow for linking to the thumbnail images via the upload script?
I apologize for the wordy question. I tried to be as succinct as my limited knowledge of programming would allow. Thank you in advance for your time and effort in helping with this.
two way around
Write a blank index.html on each directory, which will prohibit to access files.
Write below in .htaccess ( if not exist then create this file )
Options -Indexes
OR If you want NO ENTRY outside of the LAN
# no nasty crackers in here!
order deny,allow
deny from all
allow from 192.168.0.0/24
# this would do the same thing..
#allow from 192.168.0.0 to 192.168.0.24
Reference
One more
You want to show the thumbs to each owner customers but not to others?
knowing the Order number (is sequenziell) you can easily try some links and see some photos.
I suggest to use a .htaccess to password the upload folder and to generate a hash number for every thumb that you have to attribute to the order number.
A second solution: password with a .htaccess the upload folder and generate a thumb when you generate the order confirmation page without saving the thumb. (he has to see it only once as you mention).
have fun!
Two things that you should do are:
Disable directory indexing.
Always keep the file names random. Map them using the database. i.e file1.jpg->file_af324234324324ff . You can also store the thumbnail file information in the same table.