Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I'm concerned about security. I need to allow a specific group of users to upload documents and for all other users to download them.
Where or what folder is the best place to allow this to happen? I read that outside the root of the site is best but then I've read conflicting posts.
Thanks for any help.
It all depends what you need to be able to do with them once they are uploaded.
Outside the web root is definitely best but if you then need to be able to show those files on webpages, you will need to write a handler or just save them inside the webroot.
Ideally you should never allow untrusted users to upload any file to a server and should certainly never allow untrusted users to upload files into a webroot as they could then use your server to spread malware or upload files that can be executed on the server and take control of your server or site.
You should always ensure that the minimum number of file types possible are allowed for upload so if a user is uploading an image, make sure they can only upload images
I generally save files to a folder outside the web root (note, not just outside my site root, but outside of the actual web root directory). You only asked for advice on where best to store the files, but presumably you are taking other steps to make the uploaded files secure (like, changing the name of the file, changing the permissions on the file, etc). Good luck!
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I just program a website with in the server a directory called "/src/PDF/" where all of my PDF documents are stored.
Actually I simply make a
<iframe class="mx-auto w-100" src="./src/PDF/mypdf.pdf#toolbar=0"></iframe>
to diplay it to the user, but any user can follow the link to "./src/PDF/" and access to all of my website's PDF !
You have to know that my website use account to access to the documents, so if you are a subscriber to the website or you acquired the PDF by unit, you can see it, if not you have a page to connect, subscribe or acquir it individually.
I heared about .htaccess but I didn't find any formation to program .htaccess propely for my case.
Can a charitable soul come to my aid?
Thank you very much for your time !
You have few options:
A) You put an index.html/index.php file in the directory. This could even be just a blank file. That way they don't see a directory listing.
B) You disable directory listing in your web server configuration, for Apache you can do this in an .htaccess file. Simply put in, or create an .htaccess file in src/PDF/ with:
Options -Indexes
With either of these options however nothing will stop anyone from just guessing a name of a PDF file, or someone giving them a link to view it.
I would at the very least move the PDF files to a directly that cannot be accessed publicly (ie: before your public_html) and then use random file names and reference the actual name of the document from a database. Then send the PDF to the browser through a PHP script where only authenticated users can see it.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
We have one .net application in which there is facility to upload images in given storage location. our application is completely windows based. and what it does is it stores images on given path for example "E:\Images".
On the other hand We are using using PHP application (using smarty framework) to display all our uploaded data. In this case everything working fine except images as the storage location is not within the PHP application directory.
I know with the help of symbolic link we can access the images from another disk. It is also working. But if we change the storage location later on then there will be a problem.
I also know that using base64 way we can access images. But it is taking too much time to load If I have a 30 images for one single record.
Can you please suggest a good way how can I access the images? Or how we can improve our symbolic link way?
PHP can access any area of the disk ifallowed. You may need to configure open_basedir to allow such access.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
In which diretory should script files for cronjobs be saved? Available to the public inside var/www/html or better inside var/www/files or ...?
Re-posting comments from above, for easier reference and clarity:
Why would you want to make cronjob script files available to the public? If you're distributing them, var/www/* would be a fine place to put them. If you're intending to run them on your server, put them somewhere that isn't public facing, like your /home directory
Cron only needs its scripts to be in a directory it can access. While it can definitely access /var/www/, so can (potentially) the public; it depends on your configuration. If you're running Apache as your web-server, then accessibility of any directory under the web root (usually, and likely in this case, /var/www) is configured by .htaccess files (or in a Directory block in your main server config). By default, all sub-directories and files are accessible. If you don't care about other people seeing your cron scripts, go ahead and put it in var/www. Otherwise, put them somewhere else or change your server configuration
The best way to do that you want, is create a new directory dedicated to save the scripts, for example, /var/www/html/scripts
In that way, people is able to see the the sctipts and for crontab schedule too.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am attempting to collect files from a number of friends from around the world. Later on I will also allow everyone to download from this shared repository.
Some key facts:
Most of them have little knowledge for file transfer and even less motivation to "try". So they will stop caring to upload files if I tell them to install some ftp/webdav client and give them detailed info on how to send files.
I have a high server to my disposal where I could setup a webserver that can do multiple file upload/download.
the data size will be considerable so I can not use one of available free services (such as dropbox etc.)
I have zero knowledge regarding webpage programming.
So I would like to create an extremely lightweight page (hopefully an html page is enough), where there is some introductory text, underneath I can see the files that exist in the current directory and finally have an "upload" button so as to allow people to upload files (multiple files!).
A possible page could be similar to this http://taper.alienbase.nl/mirrors/. As you can see there exists some text and the current folder contents. There exists no upload capability however. Also If a folder is completely empty (no index.html etc) , apache decides automatically to create an 'ls table' of the current directory contect.
Is there any easy code that implements file upload? I read about plupload here but it seems somewhat more complicated (it also requires java? - I didn't find any setup info)
I want to set it up on an apache webserver, in a linux box.
If you have a tutorial in mind that may give installation and setup information about how to set it up, it would be very helpful.
I have previously used this jQuery Upload File Plugin. Its simple to implement and has the option to drag and drop multiple files for upload.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I installed an Apache server and am playing around with it a bit. What I can't figure out is how to properly set permissions for this setup:
I don't want my files to be externally accessible (i.e. ./files/file1.foo) - there are many files in this directory and I don't want people to be able to read them. So far so good. chmod o+r enables reading and vice versa, in my case.
Then I have a PHP script that handles sessions with each user, who owns one of the files and should be able to view it, but only it, not the other files. Let's say the file is a picture. I would write <?php ... echo "<img src=\"files/file5.foo\"> ?> to show this file. But that wouldn't work, because the PHP doesn't have permissions to the file either.
What is the way to handle this?
For those requirements the best solution is to store the protected files outside of the public HTML and use a PHP script to serve them. The PHP can then check if the current user should be allowed to access the requested file or not.
Have a look at this example. For inline images, don't set the file transfer headers, just output the content (you can still output a content-type header but that isn't needed).