0

I have a site with user logins and sessions. I'd like to allow my users to upload files to the webserver, but only have them available for their login.

I understand if I upload to some sort of public web directory that the file would be still accessible via:

http://www.mydomain.com/files/thefile.pdf

However, I'm thinking I can store the files in the directories just above my public HTML root (say it's /mnt/content/web/html).

So, I could make a directory called (/mnt/content/web/uniqueidfortheuser) and store my files there, then reference the files via PHP with the syntax:

(../uniqueidfortheuser/thefile.pdf).

My question - is this secure enough or is there something I'm overlooking? The name of the uniqueidfortheuser would be stored in a database and unknown to users, and they'd have to have a valid session to gain access the their unique name of their folder. And I don't think they'd be able to call any of the files in the folder from the web.

hakre
  • 193,403
  • 52
  • 435
  • 836
916 Networks
  • 545
  • 3
  • 10
  • 18

1 Answers1

1

Even better - when the user uploads the file, include the user_ID for the file. Then, when you try to retrieve the file, make sure it belongs to the user.

So therefore even if they guess another file - it wont matter!

You need to use readfile:

    function user_files($file_name = "")
    {
        // Check user is logged in
        if ($user->logged_in())
        {
           // Check file_name is valid and only contains valid chars
           if ((preg_match('^[A-Za-z0-9]{1,32}+[.]{1}[A-Za-z]{3,4}$^', $file_name)) 
           {
               // Now check file belongs to user - PSUEDOCODE
               if ($filename == $user->records)
               {
                   header('Content-Type: '.get_mime_by_extension(YOUR_PATH.$file_name)));
                   readfile(YOUR_PATH.$file_name);
               } else {
                   echo 'You do not have access to this file';
                }
           }
        }
    }

There is some issues around directory traversal etc - so you'll need to check the $file_name first like I have using the preg_match

Laurence
  • 58,936
  • 21
  • 171
  • 212