I have a folder full of images on my server where my mobile app accesses them.
www.mysite.com/images/image001.jpg
Whoever has this link now can access the files. Also can comprehend that the images are in a certain order and thus guess the pattern etc...
The image links are gotten via the php inside the app that use token to verify the user is legit and indeed the request is coming from a mobile that has downloaded the app.
What I want to do is to secure the folder from external access and prevent people from accessing the folder and seeing everything from a browser and limit its access only via the php file.
I have used the trick of .htaccess with deny from all so that it show the forbidden message whenever someone visits from the web, however, all my JSON requests also do not work now.
What can I do to accomplish this?
You will have to serve the images with a PHP script that also checks that access is permitted.
Once you've done this you can simply store the images outside the web root, which makes them inaccessible from the web, except through the PHP file that serves them.
best option is to make the pic links randomized and un-guessable
so a pic link would look like this:
www.mysite.com/images/8Md9FhD1hANdIBUz4WVCzKR227fykTByq6SKHas5FyYJDr2EjAlIn1bS0f5gPJih.jpg
youtube use this method for "private" videos
users / bots cant be accesses randomly, and you cant guess the next pic.
when the user is authenticated display the link. the worst thing that can happen is that this user can share that link, (he can download and share not matter what you do)
when you save the picture on your server just randomize the name.
Related
There are different user for my website, and for each user there are separate PDF files, I want to give users privilege to download their files(but should not see the files of others users). Now I have created a login and I have the user-id in SESSION (I am using PHP for backend). So what is the secure way of accomplishing this task? Also how should I manage many of these PDFs on my server? (currently I have kept all the PDFs in one folder, but this seems insecure and I think these can easily be extracted by the un-authenticated user)
At a high level:
Store your PDFs outside of your webserver document root. Make them completely inaccessible to direct browser access.
Write a PHP script to handle download requests. This PHP page can check the session user ID to ensure the user is requesting a file that they are allowed to access.
Use header() calls and readfile() to then send the appropriate PDF file to the user.
Feel free to come back and post a question when you've researched and worked on this, and have a specific question with code.
I'm in the process of building a site that will help to organize my business. But I'm at a roadblock. Our site is coded in PHP and MySQL and as it currently stands, our contractors can upload images to our site, our site relabels the pictures and associates them with a work order (for ability to search later, if needed), then stores the images in our database.
However, what I want to do is have the images uploaded to their respective work order on our supplier's site. I have contacted our supplier and they will not allow us to access their server directly through the POST commands. So I'm curious if there is a way to still have our images uploaded from our site to our supplier's site. Their site is password protected. On their site, I find the work order associated to the work order and manually upload the images, but I'd like to find a way to do this automatically. The work order numbers between their site and ours are the same. Any ideas?
New Info
The comment I left below just states that I have to actually manually click the upload button, choose which photos to upload, then click "upload" to have the images uploaded. FTP is not allowed either.
If by "manually" you mean all by www after logging in, you can use CURL to simulate login session to their website (access login page to obtain session cookie, then post login data with that session cookie, and then with authorized session cookie you can GET/POST whatever you want from their website as authorized user). Use Firebug to track what requests are made and what data are passed from/to their website.
Since using CURL can be painfull (it's syntax is far from user friendly) you can try grab and extract Zend_Http from Zend Framework so you will have very easy syntax and it even work without CURL if you haven't it on your servers.
if they will grant you ftp access you can programatically transfer the images to them that way
or if they have some sort of api exposing methods to upload images
By "manually upload", you mean via FTP? You can do it with PHP. Here is the documentation.
For security reasons, I suggest you create an FTP user on your client's server which only has access to the images directory, and connect trough that account.
Is there any way to protect your files(php files/images files) from tracking ?? (TeleportPRO, HTTrack, etc)
-Thanks for your time!
HTTrack crawls through your website then downloads and follows all the links it finds. So anything that a user using a browser will see is what this program will see.
PHP is server side so all the client gets is the html your produce so you do not have to worry about anyone getting your source code with a program like HTTrack. The only way to get your source would be for a attacker to get direct access to the files with ftp/on the system itself...
And as your users will be able to see your images the program will download the images but how would this affect you? If you are selling the images, you could access them through a .php file that checks if the currently logged-in user has purchased the image and then and only then show it. But for images that are part of your layout/template, it is quite normal for everyone browser etc. to download it. Those programs just download them for local viewing.
I know it's practically impossible to not allow a user to download an mp3 file with all the various methods out there. But I'm stuck in a situation where i need to make things slightly more private/secure for my customers.
Here's my problem, I'm currently using this flash mp3 player http://www.flabell.com/flash/Flash-Mp3-Player-29 to stream/play the songs. The player uses xml for settings & playlist. I'm also using WordPress & the S2Member plugin.
I'm trying to allow the player to play songs but yet do not allow users to download/opening the direct links to the files. (eg: songs are located at domain.com/player/songs/*.mp3, script is in a level up). Is there a htaccess method to deny direct access but yet allow (local) scripts to call the file?
Also, I mentioned about S2Member plugin for WordPress.
The WordPress plugin has a built in restriction to as where logged in users can download files that are hidden from open access. So in order to download a song, u'll have to use domain.com/s2script_download?file=mysong.mp3.
The folder that hosts the files has a .htaccess with a "Deny All" in it. Is it possible to reuse this folder to play/stream songs with the flash player mentioned above?
To the best of my knowledge this isn't possible. Yes, it's possible to deny access to the outside world, while allowing access to local scripts. But Flash isn't a local script. All things being equal, a Flash app requesting a file is no different than a browser requesting a file. You can't block one without blocking the other.
The only solution that even comes to my mind is having the Flash app request the file with a special query string, i.e. /somesong.mp3?fromflash. Off course that won't stop most people from getting the song, but it could stop some people.
I am creating a PHP script for my website that would allow my clients to login to their client account and view a list of files I've uploaded for them. Then they can download them without having to relogin or re enter a password.
I want to keep it secure so anyone cant come in and download the files if they know the clients name.
I've tried .htacccess, protecting the folders, etc.. but it doesnt seem to work. I've written the client login script thatl ets them login and view a list of files in their directory but I can't have them right click to download it without having them login.
Something similar can be seen here:
http://forums.cgsociety.org/showthread.php?f=76&t=808482
In the 2nd post, if you try to click delete.jpg it won't let you download it without logging in. I want this similar feature for my site.
The site is created in PHP, with a MySQL database.
The folder itself should have security permissions set that regular users do not have access to it, only whatever user runs the PHP process.
Your PHP scripts act as a passthrough for the actual file system. The users don't have permissions to see a list of files, but your scripts do. The users don't have permissions to access a file, but your scripts do so you can open them as binary files and write the data out to be sent to the user.
Do some research into PHP File Downloaders, this is fairly standard behaviour.
You could use cookies to signify that the user has been there before, and been authenticated. Make the value of the cookie be fairly random, so it can't be guessed. I would encrypt the username . timestamp and store that with the username, so username_token and that way you can time people out and force them to login, if you want, later.
Then, move the files out of the webapp directory, and have a cgi program that will show the files in the directory, and allow them to download them.
This way you can control what people see, and what actions are allowed.