Here's how I connect to my database:
create a "access.php" file that has the username and password of the database inside it.
create a "main.php" file in which I include access.php and then create MySQL connection and the rest.
How secure is this way of coding?
I'm just a bit scared that if someone could somehow donwload the access.php and get to know my user and pass.
Any suggestions?
Since your php file is under a web server, it cannot be downloaded as pure file, but will be served always compiled, so the source code cannot be visible to users.
To view your username and password stored in the file, a user should have access to the server's file system. So you can feel comfortable.
I have a .php file called "Connect" which is the database connection file.
Then I have a file I call "config.php" which contain the username, pass etc.
Then once the database connection has been initiated or whatever it is called (sorry I am not English), then you would "unset" the variables which contain the login info, eg: unset($config['mysql_pass']);
However you shouldn't be scared of people being able to download your access.php file, as it is executed server-side, and the content are not visible to any front-end users.
You could also put your access.php file in a folder just before your public_html folder, this way, it cannot be accessed for outside the server.
Hope it helps :)
Possible duplicate question. Check out this older post:
How to secure database passwords in PHP?
One additional "trick" is to use somewhat ambiguous names for config files.... don't use something like db_config.php.
I don't think people can't just download the access.php file. When people type the location of the file in browser, php interpreter executes the file, does not just send the file to the user.
However if you install some other malicious script it may read the file & do harmful things, like downloading the file
Related
I want to block direct access to different php files (by writing let's say http://testpage.com/login_verif.php), for example the login verification one (that authentificates users).
Is it possible for an user to access the config.php file that connects him to the mysql database (and has the password written in it)?
Also, how can you configure your uploads folder, so that an user can only see the image for which he has the URL?
Exit the file if there is no data POSTed to the file, and/or place the file in a more controlled area.
You should not have a config.php file - they are very much not safe, but instead environment variables.
You may look into rewriting to disallow direct access, but allow referencing on the domain.
I'd like to protect some files with a session Authentication. Some files can be viewed by users, some not.
I've impelemented a solution with mod_rewrite and readfile(). My problem is that this function will use a lot of ram and the server goes down when more users download files.
I tried this:
1) Pass a file trough the php handler and use the prepend function. It doesn't work because when the prepend php file finished the handler process the file, and in my case the handler was blocked because of invalid ASCII chars. I couldn't manage to stop the handler from processing but output the file.
2) Put the session, ip and the folder name in a temporary file what I tried to check in my nginx.conf to exclude from rewriting. I failed because I was not able to extract only the folder name in nginx into a variable.
How can I solve this problem? Has anyone a suggestion?
Thanks
If I understand the question correctly, you are trying to create a system that only allows authorised users to view certain files, and other users to view other files.
If my understanding is correct, then I would personally store the files above the root or in a secure location, and then have an access script (such as fetch_file.php) with a unique identifier in the URL (e.g. fetch_file.php?uid=1234).
If the user is authorised to access the file with the unique id of 1234; provide the file from the location details within the database, otherwise deny the request.
This way, the user can not access the file without the correct permissions, as it is stored securely above the root which should not be accessible from the internets.
I am trying to create a secure file transfers between a client and a user by which I have the client Upload files, and click on which ones they wish to share with the user.
My problem comes when the client passes a url to a user (This url is stored in the database)
ie: http://www.example.com/files/my-new-file.pdf
So then the user clicks on the URL and now becomes unsecure, because anyone technically could download this file. How do I make it so this file is ONLY able to be downloaded by the specified users.
I hope this makes some sense in what i'm trying to do and am trying to make sure these files are secure. Any thoughts would be appreciated.
You should use a PHP page to control access to the resources, rather than having the /files/ directory serve the content directly via the web server.
For example, a simple PHP page can read a file from the filesystem and serve this up so that it is downloaded to the browser.
http://www.higherpass.com/php/Tutorials/File-Download-Security/
You would want to ensure:
Only valid files can be downloaded
The request is from a valid authenticated user who is allowed to access the requested file
The simple example in that URL is vulnerable to directory traversal in the file parameter. You should validate any filename that is passed to your PHP script to protect against "../.." type attacks. This can actually get quite complex.
What may work for you is to have a token system where files are referenced by a unique, complex, random token. The database stores the actual file location on the filesystem, and when a request is recevied such as /download.php?token=blah... you lookup a) the location of the file referenced by token "blah", and b) that the session of the calling user is permitted to access the file. If all is well, serve the file to the user, otherwise raise an error and log the illegitimate access.
Protect image path - PHP
Hope this help you.
I believe adding security preferences to the registered users will make the things work.
You need to have user logged in to upload the file.
Otherwise, whenever somebody uploads a file, ask his/her email address and send a string key (randomly generated by your server and mapped to the uploaded file) which may be used by the user who wants to download as password.
Share that key with the users who uploader wants to share...
I have a directory of files that logged-in users can upload to and access. Some of the files are public, and others are private - for internal access only. The filenames and access settings are saved in a database.
Can anybody give me some resources or show me an example of how i can use session data (and .htaccess?) to allow access of private files only to authorized users?
I'm thinking it might be easier to keep public documents in a seperate, unprotected directory, though i'd kind of like to keep everything together.
I'm not concerned about top-level security or encryption, as the files aren't terribly sensitive, but i want to keep them from being indexed on search engines, etc.
thanks!
I suppose I wouldn't use a .htaccess (or any kind of HTTP-authentication) for that : .htaccess / .htpasswd are great when you want to allow/deny access to a whole directory, and not to specific files.
Instead, I would :
Deny any access to the files -- i.e. use a .htaccess file, containing Deny from All
That way, no-one has access to the file
Which means everyone will have to use another way to get to the files, than a direct URL.
Develop a PHP script that would :
receive a file identifier (a file name, for instance ; or some identifier that can correspond to the file)
authenticate the users (with some login/password fields), against the data stored in the database
if the user is valid, and has access to the file (This is if different users don't have access to the same set of files), read the content of the file from your PHP script, and send it the the user.
The advantage is that your PHP script has access to the DB -- which means it can allow users to log-in, log-out, it can use sessions, ...
About the "send the file from PHP", here are a couple of questions that might bring some light :
Sending correct file size with PHP download script
Resumable downloads when using PHP to send the file?
forcing a file download with php
I'd create a custom index script in PHP -- something that would show the files dynamically. Use that to keep only the right files being listed -- afterwards, to further protect the files, fetch file contents dynamically -- Pascal MARTIN's links show you how to use PHP to control the file streaming, you can use that to block access from hidden files to users that aren't supposed to get to them.
On the current website I'm working on, I've got a directory of files for users to download which would be really nice to have some security method other than obscurity ;)
I was wondering if there's any way to supply login information via PHP to htaccess as though a user were entering it.
Alternately, if anyone knows a better way to secure user downloads using PHP, that's also acceptable. All of my googling turns up "just use htaccess" which isn't really helpful, as from the non-savvy user's point of view, they have to log in twice every time they use the website.
My best guess at doing it exclusively with PHP is to store files above the web root, then copy them to a web accessible folder temporarily, but this seems highly inefficient and I couldn't think up any way to remove them after the download has finished.
Note: I don't own the server this is running on and don't have ssh access to it.
If files are not too big (Gb) you can always use readfile for file's download. In this mode you can check user's auth before, and if it's ok output file contents to user, otherwise send him to login page.
With this method you can put your files in protected (with .htaccess) directory so you can be sure that nobody who isn't authenticated can access them.
I think I would either store them in a folder outside of the web root, or in a folder protected by .htaccess and then have a php script that checked if the user was logged in and allowed to download a file asked for. If he was, then just pass the file through to the user.
Example from linked page at php.net:
Example #1 Using fpassthru() with binary files
<?php
// open the file in a binary mode
$name = './img/ok.png';
$fp = fopen($name, 'rb');
// send the right headers
header("Content-Type: image/png");
header("Content-Length: " . filesize($name));
// dump the picture and stop the script
fpassthru($fp);
exit;
?>
Someone else made a comment about having to report the correct content-type, which is true. Often, in my own experience, I already know it, or can use the file extension pretty easily. Otherwise you can always try to have a look at finfo_file. On that page there are also some comments about what you could do especially for images as well.
you should use a php script to control the access.
create a dir outside the webroot or inside the webroot with a .htaccess where you location the download files.
outsite the webroot is better.
you have to make sure that no one can access those files if they are located inside.
then take from the pear class lib. the class http_download.
using this class has many advantages.
Ranges (partial downloads and resuming)
Basic caching capabilities
Basic throttling mechanism
On-the-fly gzip-compression
Delivery of on-the-fly generated archives through Archive_Tar and Archive_Zip
Sending of PgSQL LOBs without the need to read all data in prior to sending
you should not use readfile oder any forwarding filepointer because you have to set the headers yourself and the don't support http "range".
for the access restrictions you can use you session-manager, password, framework, forum etc.
pear - http_download http://pear.php.net/package/HTTP_Download
you need to copy the url, because SO encodes it to url-encoded string (which is correct), but PEAR-homepage doesn't like that.
Why reinvent the wheel? Take a look at File Thingy, which is pretty easy to install and customise. If nothing else, you can study the source to learn how to perform the authentication step.
You could use MySQL to store uploaded files, rather than storing them in a file, better and more secure, in my opinion. Just Google "MySQL upload php" for example.
You could create the htaccess file using a PHP script, from your users table, each time a user accesses that folder, very troublesome.
I think the first option is better.
Use X-SendFile! There's extensions for Apache, Lighty and Nginx so there's a good chance there's one for your webserver.
Once you have the extension installed, you can authenticate the user using your PHP script, and then add the header:
header('X-SendFile','/path/to/file');
When your PHP script is done, it will trigger the webserver to stream the file for you. This is especially efficient if you use PHP along with for example FastCGI, because it frees up the PHP process for other work.
Evert