0

I created a PHP application that automates the creation of rental documents such as leases, extensions, notices, etc. The application creates and saves the rental documents in a designated directory as a word document.

My application requires the user to login and verifies login using a session variable. My problem is how to protect the /docs/ directory that contains completed rental documents? If someone knew this directory existed, they could simply type it into a browser. I added a blank index.html file to this directory. This keeps the file names from displaying. I'm just wondering what is the best way to protect this directory, since it will contain docs with personal information?

Brent
  • 171
  • 1
  • 2
  • 10
  • 1
    Keep the file in a directory outside of `document_root`. Maybe interesting? http://stackoverflow.com/questions/13357994/access-a-file-which-is-located-before-outside-the-server-root-directory – Ryan Vincent Jan 22 '17 at 03:09

1 Answers1

0

Ryan thanks for your advice. As you suggested, I saved the files outside of the document root and accessed them with this code.

<?php
header('Content-Description: File Transfer');
header('Content-Type: application/msword');
header('Content-Disposition: attachment; filename="'.$_GET['doc'].'"');
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($doc));
readfile("../test/" . $_GET['doc']);
?>

To access the files, I include the filename in the url that links to the above code. EX. http://example.com/test.php?doc=filename.docx

Brent
  • 171
  • 1
  • 2
  • 10
  • 1
    Don't forget to sanitize the GET parameter...This is begging for abuse. At least check for ../ or something. Also, where is the file existence check:). Always expect someone to break your code, so you should break it first. – Thomas Jan 22 '17 at 04:37