How to restrict direct file/url download and access? - php

I have a website eg. subdomain.example.com
The website works as follows
Scenario 1
When visitor logs into website the get a signup form
if they fill the form then a php scripts run
a. http://subdomain.example.com/subscribe.php
if they completed signup successfully then site returns
b. http://subdomain.example.com/success.html
if failed then site returns
c. http://subdomain.example.com/error.html
Scenario 2
There is another form to download a pdf after successful form fillup it executes a email to that user and send download link.
Solution needed :
I want no one can type link a,b,c in the browser and can be able to visit the site , site links can be visible if it is referred by the steps (If any one completes the procedure )
How to stop passing data by writiing values with a link in url. eg.
http://subdomain.example.com/subscribe.php?post[parameters]
How to set the accesskey system to make the download valid for single time and file cannot be accessible for direct link visit without api key.

They are a lot of ways to do this.... One way I do this is by generating an MD5 key and getting Radom strings from the generated key, then I use the super GET global variable to search for it ... Then use password_verify() function to verify the hash is correct ... Next I would do is that when uploading the file I create a column for date and insert the current date using the now() function, so when I verify the md5() code i also immediately verify how long it has taken since link generated.
I am sorry I am on a mobile phone... Would have loved to help you on this one, had done I for a client before..

Related

Executing encrypted/secure PHP/SQL script by clicking a link within an e-mail

I'm receiving e-mail from my PHP/MySQL application with certain links.
When I click on a certain link (Approve, for example) within the e-mail, I want a message to be sent back to my Application, which it'd translate into a PHP script or SQL statement to update certain fields in the database.
In order to determine which fields to update, certain user and request related information may be included in the link (user name, category, amount, etc.) but I don't want this to be seen as plain text or discovered by someone looking into the e-mail details (can it be encrypted and then decrypted by the PHP application when user Clicks back in the e-mail)
I want this to happen only if I'm clicking on the original e-mail, not if it it's a forward or reply of the original
NOTE: My Application is not SSL enabled
What components/frameworks could be used to accomplish this and ensuring a perfectly secure solution (i.e. it could be PHP web services, details on what method to use to encrypt/decrypt, etc.)
None. There is no such thing as perfect security. And if you consider that a forward may copy each and every byte of the original, it will be tricky to react differently on links in forwarded messages.
what about letting your user simply reply to the email so your original text is returned. You could be relatively sure, that the user is the only person with access to this particular email- address and you could read your secret and encrypted message from the email-text.
You could let a cronjob run every x seconds, let the php- script read the message for a string like:
<SECRET_INGREDIENT>jkbgv7&%%((Nj3js8<SECRET_INGREDIENT_END>
So php looks for <SECRET_INGREDIENT> and for <SECRET_INGREDIENT_END> and decrypts the part between.

How to limit a user to one visit on a single page?

Hello Guys i hate asking stupid questions here so i hope this isn't, How would i go about limiting someone to a download page of mine? so if they try to visit that page again (more then once) to download something it will just redirect or preferably change the download links to link 2 then Link 3 and is it possible to do without a database?
Eg:
First Visit - main link
Second Visit- link 2
third Visit- link 3
4 and up Visit no link and redirect
Maybe with cookies? i really i have no idea how to do it and i have Googled it but my wording must not be there...
Is there a name for this or a script?
Thanks for your time Guys.
A.
The best method to achieve the desired goal is database. Create a database table that contains two columns :
(1)Page Visitors IP
(2)The Last Download link used by the visitor to download
file(contents) from your website.
B.
You can too achieve your goal with the help of COOKIE.
setcookie("Visitor IP", "Download Link used by the Visitor", $expire);
Everytime, visitors visit your website, fetch the visitor IP and check whether $_COOKIE["Visitor IP"] is set or not, if its set, then update the existing Cookie else create the new one.
However, using Cookie is not a convenient way, as there might be a case where
Browser does NOT Support Cookies.
Client alter the Cookies value and use the previous link for download.
So, most simplest and elegant way to do it is, using Database.
UPD:
*How easy is it to code/setup a database?*
Setting up/Connecting to a database in php is pretty easy.
Refer the following LINK
Coding is pretty easy as well.
-Whenever the visitor click on the download link, fetch Visitors IP ($fetched_IP) by either POST or GET method. Also fetch the Link ($URL) visitor has clicked.
-Query the database [eg: Select DB_IP,LASTLINK from database WHERE DB_IP=$fetched_IP.....]
-If RowCount>0, then IP($fetched_IP) exists in database. Check the Last Link visited by the $fetched_IP.
-If LASTLINK!=$URL, then allow him download the content from $URL.Update the LAST_LINK column in database table by $URL.
-If rowcount==0,(New User) Insert a row that contains DB_IP=$fetched_IP(Visitor IP) and LAST_LINK=$URL.
An easy was is to use a hash table (associative array). When they satisfy the criteria to access the file, add an entry to the hash table using the the unique url as the key and the document path as the value. Save it to the session. When they access the url the page checks to see if the url is in the hash table. If it is, remove the url from the hash table and stream the file. If you wanted to allow multiple uses, you could store a countdown variable along with the url, that will decrement with every access and only delete the url from the hash table when the count is zero.

PHP Guest Access to Website

I have a PHP project is essentially an order processing website for a company. Each user in the company has access to this website and is given certain credentials to the application that control access to pages and functionality throughout.
Now I have a request to allow a guest access to a single page. The complexity of this request is that the guest will be different each time as well as the page will be different. Basically it is a portal to allow customers, who don't have accounts within the system as there is no live ordering on this site, to be able to access and verify the order and shipping information.
My thought to accomplish this is to have a database table setup as a guest relationship table that will be used to store UIDs, MD5 Hash Keys and the destination page that the record is referring to. Also included would be a visit counter and expiration date. When the user receives an email they would have a link provided in the email to somewhere like http://website.com/verify/?HASH-KEY.
When this link is clicked I expect that the verify index.php page takes in the HASH, verifies it in the database and displays the page reference in the database within this location instead of redirecting into the application. This would allow guest access to the single page without the need to expose the structure of the website or a rework of the user authorization already setup.
Am I approaching this solution in the proper manner?
How do I grab the contents of one page and display it in another?
1. Am I approaching this solution in the proper manner?
Yep, more or less.
Some pointers:
Make sure you seed hash generation randomly. For example, DON'T simply MD5 a customer ID or some other small/sequential number, as that would make it easy for a malicious use to hunt down other pages.
Expire the hashed links after a set time out.
2. How do I grab the contents of one page and display it in another?
If you want people to "access and verify the order and shipping information" you should probably create a page specifically for it, instead of trying to pass through normally secure pages to insecure guests. Ie, a 'shipping confirmation page' that populates details according the data keyed by the supplied hash.
I'm trying to a follow this as well as I can.
It seems to be you should use your hash method, and just have a stand alone page that will generate the content you want, totally separate from the rest of the system. Just put enough data in your hash URL to determine what is needed.
Something else to do is use a timestamp in your hash string URL and have that timestamp part of the random bits that you generate your hash on. This will allow you to make a URL essentially "expire" after a certain point.
Example: url.com/in/123456789865/hash-here
You can compare "123456789865" in this example to the current server time and determine if its expired. Of course you need to make "123456789865" part of your hash encryption to still validate
If I understand you correctly (and I think I do), than I think you're approaching this correctly.
To include another page's contents, you usually use include.
include "/path/to/page.php";

Pass data from a browser to android

I've been trying for days to figure out how can I pass a unique ID from a browser to the android. This is scenario that I'm try to create:
User scans QR code.
QR code directs user an url (php file on server).
The php files does an insert with some info.
User is directed to android marktet
User downloads app and installs it.
Once installed the user is supposed to be matched with the inserted information (at point 3).
My problem is that I can't seem to get anything unique from the user without prompting them to insert something (e.g an email address) first in the URL and later once the app is installed to insert the same thing again (e.g same email address) so that the data can be matched.
I've read something about creating a custom cookie that are stored on the android with a certain unique ID that refers to the inserted information in the database. I've looked into that but couldn't find anything that could get me on my way.
Next to that I thought of letting the php file save an xml or any kind of file where I can store the ID that refers to the inserted data..This too seems to be impossible.
Does any know a way how I can get around this without prompting the user to insert something unique?
Additional information: I'm using a jquery mobile website
Thanks
I can give you a suggestion
If you are trying to send user information without user intraction and which can be unique I suggest you you can use IMEI number of device. Which is unique for each device.

Hiding actual link in hyperlink

I have
echo <a href=\"javascript:;\" onClick=\"window.open('". $link ."','no','scrollbars=yes,width=550,height=400')\" >View report</a>
$link contains sensitive information, so I'm wondering if there is a simple way to prevent this link showing up explicitly when you "view source code" on the browser. Any alternative to href would be fine. I just need to give the user an option to click and see his processing result after he submits some data. I would like to avoid having auto popups as soon as the processing is submitted.
UPDATE: so the $link is a GET URL that includes a user ID and password.. It's internal right now so it's fine, but I'm thinking of putting this on our online server in the future. I'm very much a novice with PHP, so this is probably not in the near future as I don't know much about security features that need to be implemented for a live site on the Internet. Right now, it seems that utilizing a database would be the best way to go. Correct me if I'm wrong, please, and thanks for all of the support!
If the user has to navigate to the link, there is no way to actually hide the information. You should rethink how your process works so sensitive information is not displayed in the link.
Perhaps you can store the information in a database table and the link would just use the id of the row that has the information.
Simply put: No. If you send me to a URL, I will be able to see it using some sort of tool. Wireshark, Fiddler, etc. Consider using a different link structure.
If the user already owns a session, this is an option:
If you render a page and need to protect this given sample secret URL
http://www.MyHost.com/?what?secret&id=23232
save the URL in the user's session and associate a hash value with the secret URL.
Instead of sending the URL to the result HTML-page, insert another URL, e.g.
http://www.MyHost.com/?continueWith=<hashValue>
If this URL gets called, check the user's session and retrieve and delete the secret URL. Then continue to evaluate, as if the user had called the secret URL.
This way, no parameter of the original secret URL ever reaches the user's browser.
To refine the schema, attach a lifetime to the URL saved in the session. If a request comes later as the end of life, return an error.
If you protect all URL in such a way, users won't be able to call arbitrary URLs, since all acceptable URLs are those inside their sessions. Thus, a user will even not be able to change parameters of less secret URLs.
How is $link generated in the first place? If it is sensitive, this implies that the user has already been authenticated somehow. Thus, the information in $link can be stored in the session where it's safe
Save all the information in your PHP session (or preferably the session system your PHP framework uses) and then just send some kind of non-db-associated identifier in the link so that the code knows what you want to do next.
For example you could have a link to "http://www.yourdomain.com/sec/special_action/4" with "sec" meaning secure, "special_action" being the name of the action to take, and "4" being the action id reference.
So lets say you have to have it associated to their social security number. Then you would in your back end use a salted hash to encrypt the SSN and save it to the session data. You then append it to the end of your session array and get an array count. If it returns 5 then you know that the encrypted SSN is saved in index 4 (since PHP uses 0 based indexing). So you send along that index as part of the link to confuse things even more. Heck you can even salt and hash the index if you want.
The user clicks on the link, the code finds the index, grabs the encrypted content, decrypts it, then uses it. Easy and secure.

Categories