I have an app from which I upload files to the server. The files uploaded in the same folder where the php script is placed. THe files can be viewed easily if any one finds out the URL, thus it is very easy to hack and destroy the data.
I have to provide the download address to users for downloading the data they uploaded but if I provide the exact URL, their is fair chance of loss of data.
I want to know is there a way to encrypt the URL or any other way of securing the folder where my data is uploaded.
my URL is like www.hostname.com/myfolder/file.txt. Due to such plain URL, I can't benefit much from URL encoding in Java.
I am a Java programmer, I have experience in php.
Regards
A few remarks:
Use sessions and make the users authenticate themselves.
Put the files in an upload/ folder, which is outside of the web root.
When files are requested, check in the upload/ folder if they exist and serve them from there.
If a file already exists, deny upload.
Run everything from a secure (HTTPS) host.
Related
Example:
if we hit the link of any document then we can easily download it. for example backup.sql inside the backup folder of the website then we can download it by hitting URL www.example.com/backup/backup.sql
I don't know which type of document the client will store there but obviously, it can be confidential that is why it is not shareable to all.
working:
now I am creating a certain document management tool where we can upload a document and download the document and can assign to users who can download that document but while creating I got the idea that anyone can brute force that folder just hitting URL with random names. backup.sql, database.sql and so on. I am using URL myself to make the document downloadable should I go with get_file_content()?.
I want to know if there is a way to download the file in a secure way example only the user that is logged in into my website can only download the file.
something like via htaccess or something else I can block the files directory from outside access. only the logged-in user can download the file and it will be blocked by outside access so that nobody can brute force it. I know I can block it via htaccess but I want them to download too but only for the users of my website.
maybe you should use "x-accel-redirect" for Nginx, and "X-Sendfile" for Apache.
I'm working on a website that is generated from a server. I have a php file where I include files that are stored on my computer and are necessary for the code to work. The files that I need are related to google calendar API like my credentials and a link to the API folder just like in the quickstart.php example of google (https://developers.google.com/google-apps/calendar/quickstart/php).
I think that storing these files on the server is not such a good idea. Is there a way for me to link local files from the server in an include or require? Or do I have to put everything on the server? And in that case how do I know the filepath to my files?
I am not in control of the server I just have acces to a small part of it. It is the school server and I'm working on one directory or so from that server so I can't do anything from root or so.
Thanks in advance and if my question is unclear please notify me so I can rephrase it.
If you want to protect the code from exposure, try PHP ionCube Encoder. So someone who has access to the server can't read the code, but still it will run correctly.
You CAN include remote files via HTTP if you can configure the server to set the following in the php.ini.
allow_url_include = On
This is NOT the normal setting as it could leave you more vulnerable to attacks. So this method is not a recommended one, but it is possible.
You should consider setting up an additional account on Google and then using that to work with. You can share the relevant calandars from your personal account with that account and thus protect yourself better.
Create a folder on your server outside of the public html folder. Go one directory above your website route directory and create your folder there. People will not be able to navigate to that new folder as it is outside of your website route. Store your sensitive files in the new folder. Then just require them in your normal files as needed. This protects your sensitive files in the event your PHP handler failed (rare but can happen) as the content of your sensitive files would not be displayed to people as plain text on your website. Remember to set appropriate folder and file ownership and permissions also on your server.
I have a folder full of images on my server where my mobile app accesses them.
www.mysite.com/images/image001.jpg
Whoever has this link now can access the files. Also can comprehend that the images are in a certain order and thus guess the pattern etc...
The image links are gotten via the php inside the app that use token to verify the user is legit and indeed the request is coming from a mobile that has downloaded the app.
What I want to do is to secure the folder from external access and prevent people from accessing the folder and seeing everything from a browser and limit its access only via the php file.
I have used the trick of .htaccess with deny from all so that it show the forbidden message whenever someone visits from the web, however, all my JSON requests also do not work now.
What can I do to accomplish this?
You will have to serve the images with a PHP script that also checks that access is permitted.
Once you've done this you can simply store the images outside the web root, which makes them inaccessible from the web, except through the PHP file that serves them.
best option is to make the pic links randomized and un-guessable
so a pic link would look like this:
www.mysite.com/images/8Md9FhD1hANdIBUz4WVCzKR227fykTByq6SKHas5FyYJDr2EjAlIn1bS0f5gPJih.jpg
youtube use this method for "private" videos
users / bots cant be accesses randomly, and you cant guess the next pic.
when the user is authenticated display the link. the worst thing that can happen is that this user can share that link, (he can download and share not matter what you do)
when you save the picture on your server just randomize the name.
I am planning to do a web-app that will control the download to users. To prevent users from directly accessing the file, what I can do a htaccess to prevent downloading the files. But my question now is how to access it.
What I am thinking is access the file via server path and place the file in the server temp then generate a link to download it. The question is, how to do this? Also, if there are other easier methods on doing this.
I am using CI btw.
Thanks.
Place the files outside the webroot, so they're not accessible via the web server.
Create a PHP script that a user can access that will read the file from disk and output it to the user, see readfile.
Implement any kind of authentication/authorization mechanism in that file that you want.
.htaccess files are not my strong point.
I have document uploads going to /uploads. The user should be able to view the documents they've just uploaded by clicking on the document link that appears via ajax after uploading is completed.
However, I would like to be able to password protect the /uploads folder BUT still enable the current user to view the clicked document without having a password request appear.
Is this possible to do in .htaccess?
Thanks for any suggestions.
Unless you are using HTTP auth to authenticate your user before the upload, this probably cannot be simply done with just .htaccess. You need to know file's owner and compare it with current user, which is way beyond the scope of usual web server's capabilities.
If you may use Nginx or Lighttpd, you may use X-Accel-Redirect/X-Sendfile header. There's also a module for Apache2 called mod_xsendfile. Make all request to /uploads transparently pass through your application, verify access then tell web server to send file. While this requires the ability to configure the web server (which is sometimes not possible) this is probably the most correct and universal solution.
Here are some useful links:
PHP and Ruby on Rails examples (and some general information on configuration)
Python/Django code snippet
You could use cookie based authentication (mod_auth_cookie) to grant access via htaccess for a particular location.
I am not sure if setting the cookie path to the specific file will work, but its worth a try.
You are better off doing this in the app layer though.
EDIT: This may be a better solution
I don't think this is possible in .htaccess - since .htaccess has no way of knowing which user uploaded which files. Even if it did (e.g. by putting files in uploads/username/), I don't think .htaccess files are the way to go. I think you'll probably want to enforce this at the application level.