0

Mostly we upload things by an upload field in the HTML and uploads the file in a directory on the application root or elsewhere and stores the path in a database.

If the file is to be uploaded for specific users then the user can download from his/her dashboard. Yes, all works fine. But if he know the URL of a file of another user he can download it. How can we protect this???

Kindly i am very anxious, help me.

Gunah Gaar
  • 525
  • 2
  • 10
  • 28

1 Answers1

2

Perhaps you could send uploaded files to a specific directory. Either upload the files to 1) separate directories for each user, or to 2) separate directories for each user-group/level. Assign a user id or user group level credentials with a login script and check this against the directories.

For example, for each user: Upload files for user123 to directory "user123." Set permissions so that only login credentials with user id as "user123" can access.

For group level: Upload files for any users of the same group (e.g., level 1) to directory "group1." Set permissions so that only login credentials with group level as "1" can access.

reformed
  • 4,505
  • 11
  • 62
  • 88
  • by this ways, anybody can download the file if path is known – Gunah Gaar Jun 27 '12 at 06:22
  • Not if you put the files into an inaccessible location (such as a folder protected by .htaccess) and use a PHP script to process such files for desired users (e.g., http://example.php?download=downloadfile.pdf) – reformed Jun 27 '12 at 21:46