Share
How can you decide exactly who can download each file, at which conditions, how many times and so on?
 ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌
ALEX WEB DEVELOP
Alex
How to Protect Uploaded Files
by Alex
uploaded files


Hey,
Alex here.

Files uploaded by remote users are stored somewhere on the server.
Usually, web apps have a dedicated sub-directory for this purpose, like "uploads/".
To download an uploaded file, you simply link the file like this:

https://www.alexwebdevelop.com/uploads/myFile.pdf

This system works.
However, all the files inside uploads/ are accessible to everyone.
Whoever uses a direct link, like the one above, can download the file.

But what if you want only allowed users to download a file?
How can you decide exactly who can download each file, at which conditions, how many times and so on?

To do that, you need to perform three steps: change the upload directory, save the file information on the database, and implement a PHP file gateway.
Let's see how it's done.



1. The upload directory.
For uploaded files to be protected, you must keep them inside a protected directory.
That is, a directory that is not accessible with an URL.

The best solution is to choose a directory outside of the webserver root, which is the base directory for your website.
If this is not possible, another solution is to protect a specific directory with an .htaccess file or a similar technique.

Whatever your choice is, what really matters is that it must be impossible for remote users to reach the uploaded files directly with a URL.


2. The database.
When a remote user uploads a new file, you need to add a new row into a dedicated database table with some information about the file.

Why do you need this?
Well, because this way your application can "remember" which users have uploaded the files, when they did, from which page and so on.
Your application can then use this data to decide if to allow or deny a download request later.
For example, if you want users to download only their own files, this database table tells you exactly to which user every uploaded file belongs.

You can keep this table simple.
As a start, you can create a table with the following columns:
  • The ID (the table primary key)
  • The file name
  • The user who uploaded the file
  • The time when the file has been uploaded
  • The page from where the file has been uploaded


3. The PHP file gateway.
Now, you are probably asking: if uploaded files are protected, how is it possible to download them?
The answer is: by implementing a PHP file gateway.

A file gateway is a PHP script that performs three steps:
  • Receives the download requests from remote users.
  • Verifies that the user is authorized to download the file.
  • If allowed, sends the file to the remote user.

The file request is done with a request parameter that specifies which file to download.
This parameter can contain the file name or the file ID (the ID of the database table).
For example, to request the myFile.pdf file, the URL from before becomes like this:

https://www.alexwebdevelop.com/get_file.php?file=myFile.pdf

The get_file.php script is the file gateway.
The file request parameter contains the name of the file to download.
The script checks if the current user is authorized to download the myFile.pdf file, by looking at the current user's information and the file information from the database.

If the download is authorized, the script reads the file and sends it to the remote browser.
You can do that easily with the readfile() function.
For example:

/* File upload directory. */
$uploadDir = '/var/www/protected_dir/';

/* The request parameter with the file name. */
$file = $_REQUEST['file'];

/* Send the file. */
readfile($uploadDir . $file);

And that's pretty much it.
Note that I have skipped a few steps, such as the file name validation (which is crucial to avoid dangerous security issues), the content type and so on.
If you are interested in implementing a secure file gateway, you will find a complete implementation in my PHP Security course.

If you have questions about the implementation details, just send me a reply!



That's all for today.
Now it's your turn: send me a reply with your questions and thoughts.

Until next time,
Alex


Share the knowledge

Did you like this email? Share it with your friends and colleagues.
Click here to share it


You Don’t Want Your PHP Apps to be Hacked?
To make sure it will not happen, you need to know:
  • Which attacks you must prevent.
  • The specific defense techniques to stop each of those attacks.

PHP Security Mastery is my security course that will teach you exactly how to do that.
Click here for the details.


Need help with your PHP code?
If you can't make your PHP code work, you can ask me for a Code Review.
I will verify your code, fix it and make sure it works the way you want.
Click here for the details.

Resources

Alex Web Develop - My blog where you can find my tutorials.
Alex PHP café - My Facebook group where you can talk with me and other developers.

Technology vector created by sentavio - www.freepik.com


You are receiving this newsletter because you subscribed to Alex Web Develop.

If you unsubscribe, you will not get any more emails from me.

Alessandro Castellano, P.IVA (VAT ID): 07012140484, via Luigi Morandi 32, 50141 Firenze FI, Italy

Email Marketing by ActiveCampaign