Security +web server

[thoand]

Hi,
is it possible to get files(with a browser) from the that are over the www root directory?
eg.


/home/myfolder/doc.pdf
/home/myfolder/www/

I realy need a secure (as it can get) solution for putting sensitive documents on the web for downloading (only authorised users)
without htaccess.

best regards,
Thomas

[mikejohnston]

I would recommend placing the documents into a database field. Then you can pull the file from the field and push the file to the user as needed.

[davetshave]

Wouldn't storing files in a database be an overhead the system could do without?

I am working on a system that does something similar to what Thoand is describing and I stream the files across from an 'inaccessible' directory.

To be honest I have some reservations about the security of my current solution and am keeping an open mind about a better solution.

If you place the files in a directory like:

/home/myfolder/documents/

And you webservers root is:

/home/myfolder/www/

then as far as I can figure it there is no way for a user to access the documents in using their browser. The php-script I use to stream the files across to the users browser is this:

// $filename is the location and filename of the file to stream
// $realfilename is the name which the user is prompted to save
// under

header("Cache-control: private;"); // fix for IE

header("Content-type: multipart/mixed; boundary=\"simple boundary\";"); // fix for IE

header("--simple boundary");
header("Content-Type: Text/plain;");
header("testing");
header("--simple boundary");
header("Content-Type: application/word;");
header("Content-Length: ".filesize($filename).";");
header("Content-Disposition: attachment; filename=".$realfilename.";");

$fp = fopen($filename, 'r');
fpassthru($fp); // ** CORRECT **
fclose($fp);
header("--simple boundary");

Remember that there must be no output to the browser before you send headers, not even whitespace in front of your php script.

Hope this helped. Hope someone shoots my crappy security solution down with something more explicitly safe.

[mikejohnston]

No. I actually have found it to be faster. When listing filenames, DON'T pull the blob field that contains the binary data just to display the filename, size, etc. else it will be slow.

[davetshave]

Interesting... I am starting to warm to the database idea. Hope you don't mind me shooting at it a bit, just trying to make sure I am aware of any pitfalls.

Okay, so let's say we put the files in a mysql database. Would it be able to manage multiple users trying to access the same file simultaneously? For some reason my instincts say "Files don't belong in a database, that's what file systems are for".

I'm racking my brains for brains for some 'cons' to balance out the databases 'pros', but drawing a blank.



Oh well I suppose someone else might have something to contribute to this so I'll shutup now.

[mikejohnston]

You could "in theory" run into problems with simultanous downloads, but mysql can handle multiple threads. Remember, the actual "download" is "reading" data from the table so problems generally present themselves when "writing" to the record.

I have a database table with about 2000 files in it (images, documents, etc.) and I have not experienced any slow down or resource issues with it "so far".

[davetshave]

Although I am also using mySQL I was hoping to use my product with more databases than that. Even access. So I suppose that if one can use mySQL then storing files in a DB is not such an issue and is probably the better (more integrated) solution.

I'm not so sure how well access would deal with it though.

Glad we discussed this as now I know for sure which way I should jump.

Greetings,

David.

[thoand]

Thank you for sharing your thoughts on this subject.
It seems I have no other choise to store them in an inaccessible folder on the server, because the client has this way on their internal system.

best regards Thomas