FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Securing files !





salman_500
hey,

you see i am planning to put up templates that are for sale... so people have to pay for them before downloading them... well what i wanted was that the folder that contains the file should be protected.... like so that no one can access it.... i have done one thing that i made the filenames random but they still are in the database.... so i want the folder to be protected by pass or somthin so that only my script knows that password.. and when someone executes it it gets the pass to open the field and get the required file...

otherwise is someone tries to directly access files by entering direct URL, it gives a warning message and closes the window..... i know its possible...but i dont know how to do it... probablt make use of htaccess file or somthin???

thnx !
hexkid
salman_500 wrote:
i know its possible...but i dont know how to do it...


I'd make the template files *NOT* accessible by any URL (by putting them in a directory outside the web tree, or with an .htaccess) and create a script to manage downloads.
This script would validate the requests for the template (payed? valid template? ...?) and, if everything checks out, use readfile() to send the template to the client.

Code:
<?php
define ('PROTECTED_DIR', '/home/user/nobody/template/');
// ...
if (everything_checks_out($parm1, $parm2, $parm3)) {
  header('Content-Type: application/octet-stream');
  readfile(PROTECTED_DIR . 'foo.template');
}
// ...
?>
salman_500
hexkid wrote:
salman_500 wrote:
i know its possible...but i dont know how to do it...


I'd make the template files *NOT* accessible by any URL (by putting them in a directory outside the web tree, or with an .htaccess) and create a script to manage downloads.
This script would validate the requests for the template (payed? valid template? ...?) and, if everything checks out, use readfile() to send the template to the client.

Code:
<?php
define ('PROTECTED_DIR', '/home/user/nobody/template/');
// ...
if (everything_checks_out($parm1, $parm2, $parm3)) {
  header('Content-Type: application/octet-stream');
  readfile(PROTECTED_DIR . 'foo.template');
}
// ...
?>


by the above script.... PROTECTED_DIR is assigned the value of the url...right.... well when we do the readfile thingy... the URL will not be visible to the users in the view script???

but like in another post.. i told you that i was having trouble with the readfile function so i mkae use of this html thing..."onLoad" to open the file.... i write html in php.. so if i defin PROTECTED_DIR and the use this html method ...will it still be as safe as readfile??

oh and by you saying that you would not place the files in the web tre... meaning that e.g.. in a webhost directory ther is public_html directory or somthin... u mean i dont place the fold in this?? Confused

please elaborate !

thnx !! Razz
hexkid
salman_500 wrote:
hexkid wrote:
Code:
<?php
define ('PROTECTED_DIR', '/home/user/nobody/template/');
// ...
if (everything_checks_out($parm1, $parm2, $parm3)) {
  header('Content-Type: application/octet-stream');
  readfile(PROTECTED_DIR . 'foo.template');
}
// ...
?>
Oops! I missed an exit(0); right after readfile().

salman_500 wrote:
please elaborate !
If your public_html is at /home/salman_500/domain/public_html/ and you create something like /home/salman_500/domain/template/ this second directory is not accessible through the internet, but PHP can use it. The PHP script can validate stuff (user logged in?, download payed?, ...?) and send the file. If you put your templates below public_html you need some other way to protect them (.htaccess, url rewriting, obscurity (random names), ...) and you still need a script; you get double work and worries for less security!

You really should solve your problems with readfile(), it's a very useful function for your needs.

Also you need to think about how/when the users pay. They should be able to not pay twice if they get disconnected in the middle of the download.
salman_500
ohh...so if i use a php script to upload the templates to the folder... can the script upload them to the place your telking about... and can the script also read the files from ther..if this is soo...its really sweet !

thnx ! Very Happy

and i will try to get the readfile thing working too... i dont have problems with readfile actually...its a problem more with headers.....


oh yea i asked you... can the body onLoad function be used to get the files from the folder i creat out of the web tree?? and like is is atcually really possible to not to get files directly from that folder??
hexkid
salman_500 wrote:
so if i use a php script to upload the templates to the folder... can the script upload them to the place your telking about...
Yes.

salman_500 wrote:
can the body onLoad function be used to get the files from the folder i creat out of the web tree??
No. Unless the onLoad function requests a PHP script on the server (XMLHTTPRequest()? I don't know enough JavaScript for this).

salman_500 wrote:
and like is is atcually really possible to not to get files directly from that folder??
Completely impossible with a standard web server configuration.
Suppose your /home/salman_500/domain/public_html/index.html is accessible with the URI http://www.example.com/index.html
To get to /home/salman_500/domain/template/basic_template.html the URI would have to be something like http://www.example.com/../template/basic_template.html but no web server will travel to the ".." on that URI.
Alie
You can also use .HTACCESS files for directories protecting...
the zephyrus
Admittedly, security through obscurity is something that people tell me is a very bad idea, and for good reason. But I should add that it does work. One way to make (almost) sure people can't get to a file is to make it's name really, really long and complex. Put it in a few nested folders each with randomized names. Not the best policy, but it does work as... let's face it, people don't have the time to test the possibilities one by one, whether by hand or script.
Related topics
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.