Want to protect file from copy,download - php

I have following requirement.
Admin can upload any files like jpg,pdf,PPT,DOC file on server.
End User or viewer only access the files in display/view mode. User shouldn't to be allowed to copy/paste/download/print/modify files.
Please suggest me some way in doing this in PHP or any kind of Editor which gives me such kind of services so that I can embed my application to it.
-Pravin

If the user can VIEW the file then how can you make the difference between VIEW and DOWNLOAD ?
Answer: you can't.
To view a file, the browser should download it and store into it's local cache. You do not have any way to prevent this.
What you can do is to restrict the access to the directory (or the resources) with a htacess security asking username/password.

Related

How can I stop brute-force attack to keep documents secure inside folder?

Example:
if we hit the link of any document then we can easily download it. for example backup.sql inside the backup folder of the website then we can download it by hitting URL www.example.com/backup/backup.sql
I don't know which type of document the client will store there but obviously, it can be confidential that is why it is not shareable to all.
working:
now I am creating a certain document management tool where we can upload a document and download the document and can assign to users who can download that document but while creating I got the idea that anyone can brute force that folder just hitting URL with random names. backup.sql, database.sql and so on. I am using URL myself to make the document downloadable should I go with get_file_content()?.
I want to know if there is a way to download the file in a secure way example only the user that is logged in into my website can only download the file.
something like via htaccess or something else I can block the files directory from outside access. only the logged-in user can download the file and it will be blocked by outside access so that nobody can brute force it. I know I can block it via htaccess but I want them to download too but only for the users of my website.
maybe you should use "x-accel-redirect" for Nginx, and "X-Sendfile" for Apache.

Laravel: Prevent direct access of files from public folder

I am stuck on this part of my laravel application, Where I am asked to protect the files from directly accessed via url browser hit.
I have a public folder in which in a doc folder is present where all the documents are going to be uploaded. I just need a solution to prevent this where i can access docs directly from my application but any third party visitor can not view my docs (images,pdfs etc..).
I have tried many solutions but its not at all working.
I just want to things :-
1. Protect my docs through direct access.
2. Way of implementing it in laravel (via .htaccess)
I know this can be possible through htaccess, but how?
Kindly help Please :)
Add in your upload folder .htaccess file with content:
Deny from all
There are three approaches I can think of just now;
You intercept all image and video requests with Laravel, then using the router, serve up the content that the user was after, provided they are authorised. THIS WILL BE SLOW!.
You rely on obscurity and put all that clients images, videos etc in a folder that has a long-unguessable random url. You can then link to the content in your code using the 'static' folder name. The customer's content will always be in that folder and accessible if they log in or not. The advantage of this compared to 1 is that your framework does not have to boot for every image or video.
Have all the content hidden away - possibly in the storage folder. When the user logs in, create a temporary symbolic link between their public folder and their folder in storage. Keep a note of the link in the session. Use the link in all gallery etc rather than the static code used in (2) above. Once they log out the code will no longer be valid, and you can delete the symbolic link on logout or have a job to tidy it up periodically.

php, include a local file in a phpfile stored on the server

I'm working on a website that is generated from a server. I have a php file where I include files that are stored on my computer and are necessary for the code to work. The files that I need are related to google calendar API like my credentials and a link to the API folder just like in the quickstart.php example of google (https://developers.google.com/google-apps/calendar/quickstart/php).
I think that storing these files on the server is not such a good idea. Is there a way for me to link local files from the server in an include or require? Or do I have to put everything on the server? And in that case how do I know the filepath to my files?
I am not in control of the server I just have acces to a small part of it. It is the school server and I'm working on one directory or so from that server so I can't do anything from root or so.
Thanks in advance and if my question is unclear please notify me so I can rephrase it.
If you want to protect the code from exposure, try PHP ionCube Encoder. So someone who has access to the server can't read the code, but still it will run correctly.
You CAN include remote files via HTTP if you can configure the server to set the following in the php.ini.
allow_url_include = On
This is NOT the normal setting as it could leave you more vulnerable to attacks. So this method is not a recommended one, but it is possible.
You should consider setting up an additional account on Google and then using that to work with. You can share the relevant calandars from your personal account with that account and thus protect yourself better.
Create a folder on your server outside of the public html folder. Go one directory above your website route directory and create your folder there. People will not be able to navigate to that new folder as it is outside of your website route. Store your sensitive files in the new folder. Then just require them in your normal files as needed. This protects your sensitive files in the event your PHP handler failed (rare but can happen) as the content of your sensitive files would not be displayed to people as plain text on your website. Remember to set appropriate folder and file ownership and permissions also on your server.

Monitoring and Securing download link

I am planning to do a web-app that will control the download to users. To prevent users from directly accessing the file, what I can do a htaccess to prevent downloading the files. But my question now is how to access it.
What I am thinking is access the file via server path and place the file in the server temp then generate a link to download it. The question is, how to do this? Also, if there are other easier methods on doing this.
I am using CI btw.
Thanks.
Place the files outside the webroot, so they're not accessible via the web server.
Create a PHP script that a user can access that will read the file from disk and output it to the user, see readfile.
Implement any kind of authentication/authorization mechanism in that file that you want.

Is there a way to limit access to a directory (like .htpassword) but using PHP logins?

I have a web folder that I would like to restrict access to via password protection. I would like to have multiple user accounts so .htpassword may not be the answer here. The folder contains web pages and .exe files for download and I would like to ensure someone cannot access an exe file just by knowing the URL.
Is there any way to use PHP to limit access to all contents in a folder or would it be best to just use a PHP page to launch file downloads and never expose the exe's URL?
Thanks
There is no way to protect a directory with php. You could always create seperate htaccess files in subdirectories and do a require a user but you'd probably be better off just using a php login, in addition a login form and logout looks much more professional.
you can't authenticate straight using php, but you can use a database, here is a example of htaccess check in databases, and that database can be updated by PHP, so you've got esentially the same thing

Categories