help needed, securing a folder

**RFH Reseller: Space Cowboy** · 22nd July 2008, 09:54 AM

Hi there, wondered if anyone can give me some help or point me into the right direction.

I have built an online application, a little like face book (but obviously on a smaller scale), it offers an area where each member can upload "media files" in their profile- such as mp3's, jpegs, word docs etc etc

The way the script works is that you have to be logged into the application to be able to see the members pages. (my login form works on cookies and the members info pulled from a mysql database vis the php script).

Whilst you need to be logged in to see the members pages and media files, all the files upload can still be accesses via a direct link when when not logged in.

I need to know how I can secure the folder and make sure that anything uploaded within that folder (ie the mp3's and jpegs) can only be accessed if the member is logged into my application.

I hope that makes sense?

**Tanzy** · 22nd July 2008, 10:23 AM

I don't do PHP coding, but in this situation I normally do not store the files in the wwwroot path. Create a folder at the same level as the wwwroot, and store the files there. You can then use code to stream those files if someone is logged in.

This way you can't access the files direct from the web, no matter what you do. The only way to access them is via your code.

Hope you understand what I'm saying, getting at

**RFH Reseller: nick** · 22nd July 2008, 12:44 PM

That would certainly be a common method, so in the simplest case scenario you have a script that you call to get the file data:

example.com/get_file.php?id=1234

then inside that file you make sure the current user can access the file id=1234, stored outside of the web root, and if so you pull the file's data through the script. Something like:

PHP Code:


  if( $user->isLoggedIn() ) {
    $fp = fopen($filepath,'r');
    header('Content-Type: image/jpeg');//assuming you are grabbing a jpg image here
    header("Content-Length: " . filesize($filepath));
    header('Content-Disposition: inline; filename=image.jpg');
    die( fpassthru($fp) );
  }

You can use this method to throttle downloads too, by reading out the data in small chunks over time.

Sometimes I prefer to use a method of obfuscation, which is not really secure, as such, but doesn't have the overhead--depending on your authentication script this can be significant.
If you wanted to display 50 thumbnails on a page using the first method, it will probably feel slow. Obfuscating the paths, but leaving them under the web visible directory make it almost impossible for people to guess them, but still lets you reference the files as normal.

eg. 36816da4b1a7ead1aecdc81229549290.jpg

**RFH Reseller: Space Cowboy** · 22nd July 2008, 03:39 PM

Thanks Nick, in your example though where it says:

PHP Code:


    $fp = fopen($filepath,'r');

is $fp going to refer to the physical path? ie: d:\mydomain.co.uk\student-folder\myfile.jpg

**RFH Reseller: nick** · 22nd July 2008, 05:13 PM

$filepath refers to the physical path, $fp is a resource in php, basically a file pointer.

**RFH Reseller: Space Cowboy** · 23rd July 2008, 12:09 PM

thats not working unfortunatly. Its just printing out a load of rubbish

why wont this work:

PHP Code:


echo "<img src=\"D:\mydomain.org\student\secureme.jpg\" border=\"0\" alt=\"My Image\"/>\n";

**RFH Reseller: nick** · 23rd July 2008, 12:37 PM

Originally Posted by Space Cowboy

thats not working unfortunatly. Its just printing out a load of rubbish

The 'rubbish' will be the file's data. You must set the correct content-type header so the web browser knows how to treat the data. That's what the header('Content-Type: image/jpeg'); line is about.

Here is a good list of mime-types

If you want to just force the browser to download the file, you should be able to use:
application/force-download

Originally Posted by Space Cowboy

why wont this work:

PHP Code:


echo "<img src=\"D:\mydomain.org\student\secureme.jpg\" border=\"0\" alt=\"My Image\"/>\n";

That will not work. When you add an image to a page like that, the file path is read by the user's web browser which then sends a subsequent request for the file to the server, in this case it would request 'D:\mydomain.org\student\secureme.jpg', which would go nowhere. Actually, it may point at the user's own computer, but more than likely it would result in nothing being found, and definitely it would not get your file.

What you are trying to do is make that subsequent request for the image call a script that firstly works out if the user is authorised and if so returns the image data, as though it were the real file that was being pointed at. The complications come in a bit as the computers usually make use of file extensions to determine how the raw data of the file is interpreted, and if you are just pointing at a .php/.asp script, it is expecting plain text, thus we have to explicitly set the content-type of the data the web server pushes out by calling the header() function in the php script, that sets a little flag in the header information sent along with the page response by the server, that says, 'I'm a jpg' or whatever the file should be.

There is surely a better way to explain it, but there you go.

**RFH Reseller: Space Cowboy** · 23rd July 2008, 01:15 PM

OF COURSE that wouldnt have worked! I never looked at it like that! How embarrassing!

But the other suggestion still isnt working. The header type is set correct.

Ive tried the following:

PHP Code:


 
$fp = fopen($filepath,'r');
header('Content-Type: image/jpeg');//assuming you are grabbing a jpg image here
header("Content-Length: " . filesize($filepath));
header('Content-Disposition: inline; filename=D:\aimhigherhumber.org\student\secureme.jpg');
die( fpassthru($fp) );
 
 
and
 
 
$filepath = 'D:\aimhigherhumber.org\student\secureme.jpg';
 
$fp = fopen($filepath,'r');
header('Content-Type: image/jpeg');//assuming you are grabbing a jpg image here
header("Content-Length: " . filesize($filepath));
header('Content-Disposition: inline; filename=$filename');
die( fpassthru($fp) );

**RFH Reseller: nick** · 23rd July 2008, 01:39 PM

Works for me
I've put the image file in a web visible place for my convenience (same dir as the php file) but that should not make any difference.

PHP Code:


<?php

$filepath = dirname(__FILE__) . '\image.jpg';



$fp = fopen($filepath,'r');

header('Content-Type: image/jpeg');

header("Content-Length: " . filesize($filepath));

header('Content-Disposition: inline; filename=image.jpg');

die( fpassthru($fp) );

**RFH Reseller: Space Cowboy** · 23rd July 2008, 03:34 PM

ok, this worked if I just place that cose in its own file. But if I place that script into an existing file with other code and style around it it doesnt work.

How would I get it to work in conjunction with a file with say lots of thumbnails?