HOME Community Articles Code Library People Mail Archive My Account Contribute PHP Jobs

Open Source Database Feature Comparison Matrix Try Declarative Programming with Annotations and Aspects Locate All Stored Procedures and Their Objects/SQL Tables Building a Stored Procedure Generator Making Tables Read-only in Oracle

24-hour Support Daily Backup Dedicated Servers JSP/Java Servlets PHP MySQL Streaming Audio/Video Telnet/SSH Unix Hosting 24-hour Support

From: se <email protected>
Date: 08/31/99

• Next message: Kristian Köhntopp: "Re: [PHP3] Something like "isNull" in PHP3???"
• Previous message: Jason Brooke: "Re: [PHP3] CGI Error"
• In reply to: Cameron Just: "[PHP3] Uploaded files stored in Database or Filesystem?"
• Next in thread: christopher wright: "Re: [PHP3] Uploaded files stored in Database or Filesystem?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Hi,
>
>Say you have 1000+ users and they need to have the ability to upload and
>keep files on the server.
>They would all have a certain quota of files stored on the server.
>Now the big question is do I store them in the database or on the server.
>
>Keeping in mind that users are authenticating not via header auth's(ie No
>authenticated Realms invovled).
>They login via a form on a webpage. They are then issued a unique key
>which travels with them from page to page until they logout. Without this
>key they have no access to the system.(Don't concern with the security it
>is covered)
>
>Now if I store the files in the filesystem they will be vulnerable to
>access by anyone.
>Because
>1) I never authenticate people to a realm. They are verified only by their
>unique key which travels in post and get variables. So there can be no
>.htaccess type protection on directories/files.
>Plus I can't guarantee that the system will be running on a php module.
>2) The files would have to be stored in the webtree to be visible via the
>web to the user.
>

if you want to deny access to the files from users not having your auth key,
you could do something like

<Directory /users/files>
ForceType application/x-httpd-php3
</Directory>

in your httpd.conf, and then let /users/files be a php script that checks
the autentication key from the user before it outputs the file. with an url
like http://yourplace.com/users/files/myname/myfile.txt
/files/myname/myfile.txt would be available in the script files as
$PATH_INFO, and the files could be stored outside the web tree..
(you would also have to output the correct headers...)

or: you could auto_prepend a php authentication script that redirects on
auth failure for the file directory.

the methods would be slightly different if you have to use the cgi. anyway:
i hope you can access the httpd.conf where you will run the application
(or i think you will have a very hard time...)

i can see no reason that having the files in a database would make either
access control, scripting or administration easier.

hth,

stein

-- 
PHP 3 Mailing List <http://www.php.net/>
To unsubscribe, send an empty message to php3-unsubscribe <email protected>
To subscribe to the digest, e-mail: php3-digest-subscribe <email protected>
To search the mailing list archive, go to: http://www.php.net/mailsearch.php3
To contact the list administrators, e-mail: php-list-admin <email protected>

• Next message: Kristian Köhntopp: "Re: [PHP3] Something like "isNull" in PHP3???"
• Previous message: Jason Brooke: "Re: [PHP3] CGI Error"
• In reply to: Cameron Just: "[PHP3] Uploaded files stored in Database or Filesystem?"
• Next in thread: christopher wright: "Re: [PHP3] Uploaded files stored in Database or Filesystem?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]