With PHP, I am developing a script that generates a contract once the script is validated.
The contract is a pdf document generated with TCPDF and I save it to the server in a subdirectory with the user's ID. For example, 'contracts/132/1.pdf' would be bill #1 of user with ID 132.
However, I want only user 132 to be able to access that file, because it contains personal information. How can I limit the access to pdf documents in each subfolder to their respective user (using php or htaccess, whichever works best - I'm not very familiar with htaccess)?
The easiest way is probably just to have a PHP script that requires the existence of a valid session (like the generator script does), whose function is to readfile("/path/to/contract.pdf");
That way, you can have your PDF wrapper script verify that the contract being downloaded is the RIGHT contract for the person in the sesion, not just that it's a contract that is in the directory.
The problem with a .htaccess-based solution on the directory is that anyone with read access to the directory can download ANY contract.
Given a URL like http://example.com/contract.php?user=132&bill=1 you could:
<?php
$user = $_GET['user'];
$bill = $_GET['bill'];
# do input validation on $user and $bill. No really, do it.
if ($user != $_SESSION['user']) {
die("Security error; the black choppers are on their way.");
}
header("Content-type: application/pdf");
header('Content-Disposition: attachment; filename="Contract-$user-$bill.pdf"');
readfile("/path/to/pdfspool/$user/Contract-$user-$bill.pdf");
The if () chunk in the middle verifies that the $user being requested is valid for the current user. Obviously, you'll want to store $_SESSION['user'], probably when this user first logs in.
Of course, you don't NEED to keep spool files, really. If the process of generating a PDF isn't going to overwhelm your web server (and if it does you have other problems), it may just be easier to re-generate each PDF from scratch, on request. That's what I do with company invoices now, and each invoice gets a 6 point footer saying when it was generated and by a request from what IP address. :)
First of all, you'd place the PDF files outside of the site's web root and retrieve them via a script.
This can be made seamless by combining a Mod_Rewrite rule that passes requests to where the PDFs would be retrieved from to a PHP script that gets user and document IDs from the URL and performs access control, which if it succeeds, outputs the file's contents.
See the PHP Manual for details on how to perform HTTP-level authentication using PHP code.
Related
I want to build e-commerce website with php and I will use omnipay library for paying. The problem is if the file in the url www.mywebsite.com/programs/paint.exe the user can write in his browser that url and the paid program will download..... I searched how to block user from downloading file like RewriteEngine but how can I let the file download if the user paid in this case?
Maybe you can try these :
Store your program name in hashed format, so instead of www.mywebsite.com/programs/paint.exe maybe it's better in something like this www.mywebsite.com/programs/ca63ff966ff272da14e4fc2e73fcd399. You atleast have store your paid programs in a table and that table should provide its hash formatted name column.
www.mywebsite.com/programs/paint.exe this url should and only accessible by authenticated user. And if it's already authenticated users, you check this user's purchase history, if he/she ever buy this paint.exe program, if there is no record of his/her purchase, you must redirect he/she to your payment page.
In addition to using hashed filenames as Peter mentioned, you can use php to serve the file after authentication.
Create an htaccess rewrite to send any requests for the file directly to a php script. In the php script, perform some authentication (I.E. have the user login, or have them use a secured link which sets session variables, etc.). Then, if the user authenticated successfully, use php to return the file using http headers.
header('Content-Type: application/x-msdownload'); // Set this to a .exe
header('Content-Disposition: attachment; filename="paint.exe"'); // Set the filename to download.
$downloadFile = file_get_contents('programs/hashedpaintexename.exe');
echo $downloadFile;
NOTE: You will want to make sure that should you use hashed filenames you'll want your htaccess handle these hashed files as well.
Another option, if you've got the control over the server to do so, is you can have PHP load the file from outside of the website's directory instead of using a htaccess rewrite. For example, if your website directory is /var/www/mywebsite, have php load the executable from /whatever/path/you/want provided php has read-access to the directory.
My question seems to be similar to others here in SO, I have try a few but it doesn't seem to work in my case...
I have develop a site in which you have to fill up a form and then it returns a PDF file that you can download or print, this file is saved so you can retrieve it later
public_html
|_index.php
|_<files>
| |_file_001.pdf
| |_file_002.pdf
|_<asstes> ....etc
that is how my files and folders look on the server, anyone can easily guess other files, .com/folder/file_00X.pdf, where X can be change for any other number and get access to the file... the user after finish with the form the script returns a url .com/file/file_001.pdf so he/she can click on it to download...
a year ago I did something similar an script to generate PDF's but in that case the user needed the email and a code that was sent via email in order to generate the PDF and the PDF's are generated on demand not saved like in this case...
Is there a way to protect this files as they are right now?
or, do I have to make it a little bit more hard to guess?
something like.
.com/files/HASH(MD5)(MICROTIME)/file_(MICROTIME)_001.pdf
and save the file and folder name in the DB for easy access via admin panel, the user will have to get the full URL via email...
Any ideas would be greatly appreciated.
For full security i would move the PDFs out of the public folder and have ascript in charge of delivering the content. If the form is filled correctly, you can generate a temporary hash and store that hash and the pdf path in the database. That way the user will have access to the file as a link through the retriever script, but you will control for how long he will have that link available.
Imagine the temporary link being http://yourdomain/get_pdf/THIS_IS_THE_HASH
Move the PDF's to some non-public folder (that your web server has access to but the public does not). Or you can use .htaccess to restrict access to the pdf's in their current location.
Write a php script that returns the correct pdf based on some passed in http variable.
You can secure/restrict this any way that you want to.
For example, one answer suggested using a temporary hash.
Other options for restricting access:
Store in the user's session that they submit the form and have a download pending, that way no one could direct link.
Check the referrer header. If it is a direct request then do not serve the file.
Here is a code example using the last option:
$hash_or_other_identifier = $_REQUEST["SomeVariable"];
if (!$_SERVER["HTTP_REFERER"])
{
//dont serve the file
} else {
//lookup the file path using the $hash_or_other_identifier
$pdfFile = somelogic($hash_or_other_identifier);
//serve the correct pdf
die(file_get_contents($pdfFile));
}
I don't even think that keeping the file name secret is a very big deal if all you are worried about is people typing it into the URL bar because you can simply check if it is a direct link or not. If you are also worried about bots or clever people who will create a link that points to your file so it looks like a referrer, then you will need to add stricter checks. For example, you can verify that the referrer is your own site. Of course headers can be spoofed so it all just depends how bulletproof it needs to be.
The url would be something like: http://yourdomain/pdf?SomeVariable=12345
However, you don't have to use an http variable. You can also use a url fragment with the same result, eg: http://yourdomain/pdf/12345
General guidelines:
File is not in the directory that's accessible via HTTP
Use a database or any other storage to link up file location with an identifier (an auto incremented number, guid, hash, whatever you deem fit). The location of the file could be in the server's file system or on a shared network location etc.
Instead of hashes, it's also practical to encrypt the ID generated by the database, base64 encode it and provide it back - that makes it nearly impossible to guess the valid string that one needs to send back in order to refer to a file
Use a PHP script that delivers the file if user authentication passes (in case you need authenticated users to be able to retrieve the file)
I am deploying a website from where user can purchase the pdfs. now i am searching for the way for storing the pdfs so that it only can be downloaded when payment is done.
I have came across one way in which i can store the pdfs in to the Mysql database and generate the path to it when required credentials fulfill.
Is there any other way to do this and link to the pdf file should be dynamic and encrypted so that other links to the other books can't be predicted.
and the server side language I am using is PHP
You need to store the files somewhere outside your website root like mentioned by Dagon. When file is uploaded use move_uploaded_file to move it. You can name the file anything you want (within OS limits) and keep the real name in the database.
Then when the user has payed for the books, add the books the user has payed for to a table in a db.
Give the user a list of all the books he has payed for like: /download/filename.pdf
Add a mod_rewrite if you use Apache (or equivalent for other web servers) where /download/.* is redirected to download.php or a controller.
On the download page, check if user is logged in and has access to the file. If not, redirect to purchase page for that book.
If download is ok set header for the http status you need: Content-Length, Content-Type, Date, Status (200), maybe Content-Encoding.
Use readfile to output the file to the end user.
I would :
Deny any access to the files -- i.e. use a .htaccess file (That way, no-one has access to the file)
Develop a PHP script that would :
receive a file identifier (a file name, for instance ; or some identifier that can correspond to the file)
authenticate the users (with some login/password fields), against the data stored in the database if the user is valid, and has access to the file (This is if different users don't have access to the same set of files), read the content of the file from your PHP script, and send it the the user.
The advantage is that your PHP script has access to the DB -- which means it can allow users to log-in, log-out, it can use sessions, ...
Here is another answer from a stack user that fits this problem: Creating a Secure File Hosting Server for PDFs
is there any other way to do this and link to the pdf file should be dynamic and encrypted so that other links to the other books can't be predicted.
The best way, is after payment generate a key to the file.
create a page like this www.site.com/download.php?key=key (and here you don't need to have id of the book, because by the key you can check on the database what is the book the customer purchased.
inside the download.php read the key, query the database to find which file is linked with the key
read the file, and send it to the customer. This is, if the key is valid, you will send the php headers as content type as being pdf, and (the php code) read the file in binary and send it in the message body.
I hope this code helps
<?php
// We'll be outputting a PDF
header('Content-type: application/pdf');
// It will be called downloaded.pdf
header('Content-Disposition: attachment; filename="downloaded.pdf"');
// The PDF source is in original.pdf
readfile('original.pdf');
?>
This question already has answers here:
PHP: How to access download folder outside root directory? [duplicate]
(2 answers)
Closed 9 years ago.
How to protect digital products(video, audio, ebook, etc.) from unauthorized downloading? I'm using Apache server and PHP/MySQL. Please help!
Thanks!
Paul G.
Edited: Sorry for the incomplete question. What I want is to avoid other members from sharing direct download links to the files they have access to non-members. I heard something that it can be done by storing digital products outside the root folder, but I have no idea how to exactly implement it with PHP.
I'm going to assume that you're trying to protect files that should only be available to "logged-in" users... if you're just trying to stop people from downloading files that are embedded in your site there is really nothing you can do.
So, operating on the premise that you're trying to allow file-access/download only to approved users, your best bet is to only serve protected content through a php controller file (let's call it serve_file.php). You store the actual files outside the public root directory (or some other inaccessible folder) or you store the files as BLOB data in a MySQL table.
Then, when a user wants to download a file will be provided with a link to serve_file.php with some _GET data which identifies the file they're trying to get:
http://mysite.com/serve_file.php?file_id=24, for instance.
The serve_file.php script takes the _GET data, figures out which file it's indicating, and then checks a permissions table (or just checks to see if the user is logged in) and decides whether the user is eligible to receive the file. If they are, it gets the file data (either from MySQL or with file_get_content()), spits out appropriate headers (depending on what type of file you're serving up) and then print/echos the content:
//check that the user is logged in (I'm assuming you have a function of this name)
if (!user_logged_in()){
die('You do not have permission! Please log in');
}
/*see what file the user is trying to get...
this is a very simple sample that can only get PDFs.
You should probably have a table with file details*/
$file_location = $_SERVER['DOCUMENT_ROOT'].'/../protected_files/file_'.intval($_GET['file_id']).'.pdf'
if (!is_file($file_location)){
die('Could not get that file!');
}
$content = file_get_contents($file_location);
header("Content-Type: application/pdf");
header("Content-Length: ".strlen($content));
//add some more headers here, to deal with caching, etc
echo $content;
die();
The headers you've set tell the user's browser how it should interpret the data you're sending (for instance, as an Content-Type: application/pdf) and you've successfully allowed only authorized users from accessing the document because they always have to go through your PHP authentication script.
I want my files to be secure in my web server. Only authenticated users to access those files should be able to access those files. I thought of storing files in database as "Long BLOB" but it supports only upto 2MB of data. The file size may exceed beyond 50MB. is there any other better way to secure the files? please help me.thanks in advance.
Don't store them in a database. Put them in your web directory and secure them using .htaccess.
If you want to authenticate via other means, then store the files in a directory that isn't web-accessible but is readable by the user php runs as.
Discussion
If you opt to keep high value downloadable content files directly on the filesystem, the best thing to do is to keep them outside of the webroot.
Then, your application will have to solve the problem of creating URLs (url encoding when necessary) for content (PDF's, Word Docs, Songs, etc..).
Generally, this can be achieved by using a query to retrieve the file path, then using the file path to send content to the user (with header() etc ..) when he or she clicks on an anchor (all of this without the user ever seeing the true, server side file path).
If you do not want user A sharing URLs for high value downloadable content to user B, then your application must somehow make the links exclusively tied to user A. What can be done? Where should I start?
Obviously, you want to make sure user A is logged in during a session before he or she can download a file. What is not so obvious is how to prevent a logged in user B from using a URL sent from user A (to user B) to download A's digital content.
Using $_SESSION to store the logged in user's ID (numerical, or string) and making that part of the eventual query (assuming content is tied to user purchases or something) will prevent a logged in user B from downloading things they have not purchased, but you will still incur the resource hit for processing the SQL empty set for items they have not purchased. This sounds like a good step two.
What about step one? Is there something that can prevent the need to do a query to begin with?
Well, let us see. In HTML forms, one might use a XSRF token in a hidden field to verify that a submitted form actually originated from the web server that receives the POST/GET request. One token is used for the entire form.
Given a page of user specific things to download (anchors), one could embed a single token (the same token, but different per page request) into each anchor's href attribute in the form of a query string parameter and store a copy of this token in $_SESSION.
Now, when a logged in user B attempts to use a logged in user A's shared URL, the whole thing fails because user A and user B have different sessions (or, no session at all), and thus different tokens. In other words, "My link is the same as yours, but different." Anchors would be tied to the session, not just to the page, user, or content.
With that system in place, PHP can determine if a request for content is valid without getting the database involved (by comparing the submitted token to the one in $_SESSION). What is more, a time limit can be established in $_SESSION to limit the duration/lifetime of a valid XSRF token. Just use the time() function and basic math. Sixty minutes might be an ideal token lifetime for an anchor in this situation. Have the user login again if the token for a clicked anchor has expired.
Summary
If you use files on a filesystem and store the paths in the database, make sure you do the following (at minimum), too.
Apply proper file permissions to your content directory (outside of webroot).
Use random names for uploaded files.
Check for duplicate file names before saving a file from an upload.
Only logged in users should be able to download high value content.
Have an effective $_SESSION system that deters session fixation.
Make URLs for high value downloadable content unique per page by using hashed XSRF tokens.
XSRF tokens cover more scenarios when they have a terminal life time.
Make SQL queries for user content based on the logged in user's ID, not the product exclusively.
Filter and validate all user input.
Use prepared statements with SQL queries.
A few options come to mind.
If you are using Apache you can use htaccess to password protect directories. (first googled link : http://www.javascriptkit.com/howto/htaccess3.shtml)
or
Store the files above the web server.
Create a script in php that will allow authorised users to access them.
If you want to do it Via FTP, and you are running cpanel you may be able to create new ftp accounts. check yourdomain.com/cpanel to determine if you have it installed.
Storing files in DB is very bad practice. Very good practice to store only information about file. Name, extension. Files save on server like $id.$ext. It will be a good architecture. And when user download file, he take file with name in DB.Sorry for my english.
The best way is to store the file reference in Database. The file itself will be stored in the server filesystem. The complexity of this is making sure there is reference integrity between the database file reference and the existing file in the server filesystem. Some database such as sql server 2008 have feature that maintain the integrity of the file references to the actual file itself.
Other than that securing the file itself in the server depends on the OS where permissions can be configured to the specific folder where the file reside.
If the files are purely static you could use read-only or WORM media to store the data files or indeed run the complete web server from a "LiveCD". It's certainly not suited to everyone's needs but for limited cases where the integrity of the data is paramount it works.
Downloadable files can be stored in htaccess protected folder/s. A script like the one below can be used to generate dynamic links for downloadable files.
for ex. Secure download links. http://codecanyon.net/item/secure-download-links/309295