I m a beginner to PHP and MySQL, I am having 3 user roles in my project:
manager
editor
mtuser
Managers account can upload files to the system.
Editors and mtusers are able to download file uploaded by a manager, they can modify those and reupload back to managers (feedback).
I am using a temp directory to store those files on the server.
I want to check with that file like suppose editor and mt user should not uploaded rather then downloaded files how I check that?
I also want to avoid collisions where several users try and write to the same file at once.
I think you want to make use of WebDAV, which is easy to do with PHP. This will allow other users to lock files for editing, so that you avoid collisions.
Regarding the rest, getting permissions is just a simple query away. I'm assuming that you have a table named 'permissions' or something that says what a user can and can not do. What I do recommend is not caching them (i.e. in a session), make sure they are easy to revoke.
Related
I am working on a web application where file uploads and revisions are tracked. Once a project is ready, it is submitted for an approval process. I want to, upon "submit for approval" lock down all the projects attached files to prevent further changes.
The file uploads are handled by my own simple forms, and the files are tracked in a mySql db.
Is there anyway to set the files as read only so they can not be deleted, renamed, moved, etc. But still be viewed? (prevent change even by FTP or a cPanel file manager)
The idea is to protect the integrity of what has been approved. At the least I will be using .htaccess to prevent viewing the uploads folder directly.
Obviously, someone could SSH into the server and SUDO SU and do whatever, but, I am thinking for the less tech savy folks who need GUI.
You want application level control, not operating system level control. I.e., don't set the files to read only. Instead, have your application recognize that the project is in "submitted" status, and disable the features that would allow a user to change them.
If you're worried about somebody changing files with FTP or cPanel outside the project app then you likely have a personnel issue, not a technical one. I'm never a fan of using technology to solve a personnel issue.
That said, to additionally ensure that no OS-level changes have occurred, you can generate a hash of the contents of all the component files at the time the project is submitted, and then store those hashes in the database along with the project data. This will allow you, at any later date, to determine if the files have changed since.
I'm facing a dilemma on how to implement file upload and download in a PHP website.
I have these criteria:
Performance - does not give performance issues to the website
File size - around 2GB and up.
Authorization - I want to be able to change who can access the files in PHP. Allow multiple users to gain access to a single file.
User friendly - no additional tools to use.
So here are the methods I'm currently looking at and how I assess them based on my criteria:
Database BLOB
Writing the file data into the output stream will take time and blocks other requests (is this correct?)
I read somewhere that there's a size limit for BLOB.
OK - I can easily control who can download the files here.
OK - No additional tools, just the website.
FTP
OK - since it is designed to store files.
OK - file system is the limit.
I need to create another credentials for each user aside from the username and password for the website. I assume I have to move the file from one location to another to update authorization, but how if multiple users can access one file? Shared directory? It looks messy.
Need another tools/program for accesing their files, need to remember another username and password.
My questions:
Based on my assumptions, do you thimk I understand the methods correctly?
If my assumptions are wrong, is there a way I can do this functionality while meeting my criteria?
PS Please excuse my English.
Why not just use the file system to store the files and store the path to the given file (+ permissions, if needed) in addition in a database.
The upload folder isn't accessible from the public and an wrapper script serves the content to the user.
Performance shouldn't be a problem as you just move/copy the uploaded file to a dedicated data directory.
File size isn't a problem (as long, as you have enough disk space)
The wrapper script handles permissions and serves files to the users
It's as friendly, as you design your ui
for me the usage of BLOB is not the best. I thought about BLOB to upload pictures in my own website, but the best way to upload file is to put them directly on ur server locally.
I have a framework that I've written. I created a package for said framework that allows me to track my employee's hours, and gives them a place to dump files for the accountant. (Invoices, etc.)
The problem is that these file dumps are accessible through the browser. I could use a .htaccess file to prevent the files from being served up at all, but the problem is that I would like the accountant and the employee to be able to download their files.
A solution might be to read the files with PHP, create a temporary copy, have the user or accountant download that copy, then delete the copy...but this poses two problems.
1) It's going to be time and resource intensive...especially for large files.
2) For whatever short amount of time, there will be a copy of the file which is accessible to whoever knows the URL.
The other solution would be to put the files outside of the public folder, but the problem is that I would like this package to be portable, and a lot of my servers are shared.
What method could I use to be able to serve the files only when authenticated, and avoid the flaws I described above?
I have a folder (/files) and I have tons of files there that users can download. I want users to be able to download their files only and no be able to see others people file.
For example:
User A can only view and download:
- file1.doc
- file2.jpg
User B can only view and download:
- file3.txt
- file4.jpeg
User C can only view and download:
- file1.doc
- file2.jpg
- file3.txt
My idea was to put all files in the same folder so all users knows where to go. My question is: Can I use .htaccess or should I build a PHP scripts for this? What about security (which one is more secure)?
Thanks
Is it an open directory, to start with? What you could do is create a subfolder for each user, put their files in there and then assign appropriate permissions in .htaccess for said folders. However, this would require some security integration with your OS (i.e., users would have to have accounts on your machine, not just your web application)... A quick and dirty -- and insecure -- alternative would be to prepend all uploaded filenames with the username (e.g., 'file1.jpg' uploaded by 'foobar' could be named 'foobar.file1.jpg', for example), then it's just a case of your PHP script returning only those files with the respective username and perhaps stripping that part out when displaying (or again, you could use folders, as long as your script can create a new folder per user, when one doesn't exist). Another option, which is slightly more secure is to create a hash of the file and usernames in a database, rename all uploaded files with this hash and then query the database appropriately.
The best solution would definitely be OS managed accounts, a I first mentioned, but it entails more overhead.
Build a PHP script where you use readfile to send the file to the browser. This way you can restrict access for individual files, and use the authentication system you already have.
You can certainly use either htaccess or PHP for this. Neither are more secure, as far as I know, that the other - though done wrong both can permit access where none is intended!
PHP might be marginally better, since you have more flexibility (in terms of integrating it with other PHP authentication, say) and you can put the folder outside the usual web root, which is good practise anyway.
I have a site that allows people to upload files to their account, and they're displayed in a list. Files for all users are stored on different servers, and they move around based on how popular they are (its a file hosting site).
I want to add the ability for users to group files into folders. I could go the conventional route and create physical folders on the hard drive, for each user on the server, and transverse them as expected. The downside to that is the user's files will be bound to a single server. If that server starts running of space (or many files get popular at the same time), it will get very tricky to mitigate it.
What I thought about doing is keeping the stateless nature of files, allowing them to be stored on any of the file servers, and simply storing the folder ID (in addition to the user id who owns the file) with each file in the database. So when a user decides to move a file, it doesn't get physically moved anywhere, you just change the folder ID in the database.
Is that a good idea? I use php and mysql.
Yes, it is.
I don't see any downside, except maybe more queries to the database, but with proper indexing of the parent folder id, this will probably be faster than accessing the filesystem directly.
Forget about folders and let the users tag their files, multiple tags per file. Then let them view files tagged X. This isn't much different to implement than virtual folders but is much more flexible for the users.