I'm working on a project which involves an FTP server running ProFTPd and a PHP/MySQL backend that creates accounts for users.
Upon the creation of accounts, users are sent e-mails with their account details and instructions for downloading FileZilla or CyberDuck, depending on their OS, detected via user-agent string.
To make things easier for novices, I thought of having .lnk files generated for FileZilla with the account logins details as parameters, so they would just have to click on the .lnk files to open up the server. This is not a crucial feature but more of a technical challenge.
My questions are :
is this even feasible ?
are there any alternatives (eg. generating a .bat with a script pointing to the Filezilla executable ?)
are there any issues, perhaps with relative / absolute paths pointing to the executable ?
to go even further, what would be the simplest way of providing users with software with FTP access on a single account / single server (web interface is not an option).
It's very difficult to create .lnk files programmatically. See this answer.
In FileZilla, I think the best you can do reliably is to pass along a filezilla.xml file, and describe the steps necessary to import it after FileZilla has been installed.
I don't see any way that you can do this while making it easier for novice users. If you create a shortcut file, you'd have to know the path of the install. Good luck getting that from a user who you assume would have a hard time using a username/password in an FTP program. Even if you got that, you'd be generating the shortcut file after you receive input from the user, then you'd have to email the file to the user or have them download it -> delay.
I would advise against this. Having worked with clueless users before, any attempt to make things "easier" for them but requiring them to do something else usually backfires immensely. Save yourself the headache, and provide a very well-written how-to instead.
Related
This is just a hypothetical question. Let's say we have a website built using CGI scripts. I find a folder within it (for ex; www.website.com/links/link.txt) and it has some basic text files. When I enter this URL on a browser, I am able to see the file "link.txt". I also know that the website is running on Apache Tomcat.
My question is, how do I (as a user) edit this link.txt file? What tools should I use?
Unless you have a web-based editor you can't edit the files directly; this is for security purposes as if you can change the file that means anyone else can too.
You will need a way to either connect to the server and edit it using a remote session, or you will need to edit the file using your computer and then upload it. Unfortunately you have already mentioned that ssh and ftp aren't working, which are the two ways I would have otherwise suggested.
I would suggest you get in touch with your site host and ask them what functionality they provide to allow you to edit files.
Hope this helps!
I have password protected a folder using .htpasswd and .htaccess that contains digital assets that I want to control the downloading of using php.
I was planning on offering a download link using the mechanism:
http://username:password#www.website.com/directory/
However, I don't want people to have access to the username and password. In other words I want to make a php gateway file with a different url that decides to offer the download or not, based on information available in the database.
This is a security thing, so I'm not confident of where to start with this. I'm sure I could hash together some code but I'm not confident about it. How can I do this securely? Any help greatly appreciated.
If you have the technical possibility I would suggest you even store the assets outside of the web accessible folders so you don't need to rely on htaccess for protection. That way your PHP gateway script is the only way to access those files.
I won't go into details about writing the script itself, there are multitudes of ways to do that and it very much depends on your requirements what is best, so more information would be needed to give some advice to that. If your assets are very big then streaming them through your script might not work due to memory/time limitations, in that case you could symlink them from the safe location to a public location with a randomly hashed path/filename for a limited time and give that link out.
I'm making an web application, it's a kind of online shop using PHP, jQuery, AJAX and JavaScript.
I want to launch my site on only one PC on local host. How should I set my site so that it only runs on my single PC?
Even if anybody copy my code files and database files to his/her own PC it should not run on their PC. How to do this?
The one way I know is by using the IP address. but I not quite sure about this method works or not.
If someone gains access to your source code then there is nothing that you can do to stop them.
When hosting it on your own you can prevent external access but beyond that there is nothing you can do.
You can use an encoder script to encrypt your source code, and some of these come with an ability to lock down to MAC address. I think they are all commercial solutions, though; start with IonCube and SourceGuardian. Zend might have something as well.
I would imagine each of these solutions would have comprehensive tutorials on their respective sites. Your workflow is basically to check out a copy of your source code from version control, and encode that folder as part of your build process.
Technically, encrypted code can be reverse-engineered, since the encryption key is built into the code. However, it is a lot of work for someone to do so, and even if they decode it, they won't have your comments or your meaningful variable/method/class names.
Make sure no one gains access to that PC (where your application resides). Only in that case you can protect your application from being run by unauthorized person. Once you take this security measure then you can easily disable your application from being accessed from any other LAN computers by using your IP. This is how professional servers works so should you.
You can change the webserver binding to localhost 127.0.0.1 only.
Alternative way you can create a filter rule that the server only accepts remote from localhost/127.0.0.1
With apache you can do this by .htaccess or directory/server rules.
When you want to share that code, you need to encrypt it with zend-guard or equal tools. there is also some licence management inside it, where you can bind licences to machines.
I could use some advice.
I'm building a website in which the general user needs to be able to transfer files to the site administrator. It could be done one of two ways:
1] Some kind of web based interface - PHP perhaps - to send files to the FTP. I've done some Googling but have yet to come up with anything concrete that works. I've considered using an Applet but I need something free. Also, it seems to me that people are hesitant to give Applets permission to run in their browser.
2] Some kind of file transfer service. I've looked at services like Megaupload but using a free account, the files are public and that will not work. I need something that a user could use to send a file to the administrator who could pick it up later.
If anyone has some suggestions, it would be appreciated.
Thanks in advance.
You can do file upload via http if you have enough space (which I assume since you also have access to a ftp server). See here for more information.
I am about to deliver an Adobe AIR app to a customer.
But it's my first delivery of any sort, I.e. I have
no experience whatsoever with licensing etc.
Users of this app may or may not be online, so
can't count on that. In fact it's 99% sure that
they will be offline.
Nor do I expect them to very tech-savvy, who will
spend enough time scouting for ways to "crack" it.
So, is there an okeish type of way to protect this
app. That is, I don't want people to simply copy
the installation folder, take it to another machine
and run it. It should be slightly harder than this.
Oh, and I am also using PHP and MySql, with which
this AIR app communicates. So anything you guys could
help me with is very very welcome.
protect the php api and not the frontend app. have a license key which is bound to an ip address and authenticate the request (which contains the key) is coming from the correct ip.
If you want to protect your Flex app you can use irrObfuscator. There is a 30 days free demo.
If you wish to obfuscate your PHP code I would suggest ioncube. There is an online obfuscator that you can pay per à-la-carte. Pretty usefull. Tho you need ioncube loaders which is a set of PHP extension that you will find into the products section. Not sure but I think you can install loaders without playing with PHP config so it's shared-hosting friendly.
You can not protect anything that's webbased or javascript based, purely because there is complete sourcecode.
Anyone who knows how to use 'right click' could copy your files. You can obfuscate your code, but you cannot protect it. If you think that this shouldn't be possible, write a desktop app in a 'real' programming language.
When the app installs, I would do the following:
Create a file in "app-storage" that basically indicates the app has been installed.
Fire off a service call and make a record of the install
Change a file in the app directory to indicate the app has been installed
On subsequent startups, check for the presence of the file as long as the file in the app directory indicates the app has been installed. If you see the customer keeps installing their app over and over, this could be flagged in their account and appropriate action taken. If you want to get fancy, the file in "app-storage" could a one-way hash of some information from the file in the app directory (install date?) plus some value baked into the AIR application.
In general, I think the key here is to trust your users and not make the assumption they are trying to steal. You want to make the system as painless as possible. It does not build a good relationship with customers when you treat them like criminals, so creating an "ironclad" approach probably isn't even the best idea.
I think pretty much the only good way to do this is to require activation after installing (online activation, with a phone backup).
From what you're saying, it seems like the backend is installed on-site and would not be able to provide adequate copy protection.