Reputation: 167
How to store sensitive files and only allow access to certain users
I have a web app that lets users store files which contain sensitive information. So far I've written code so that if they which to view their files, they go through view.php?id=xx and a check is done through a database to confirm that they are allowed to look at said file. As an example, John uploads "information.pdf" to the folder "uploads" which is found at "www.mysite.com/uploads", so the file's exact path would be "http://www.mysite.com/uploads/information.pdf", and in the database this same file has an id of , say, 2, so he would get to it via view.php?id=2.
Question
How do I stop anyone from just going to the exact path and looking at his sensitive file?
What I've done
Written the code to only allow access to files if users go through my website, not directly.
I have looked at the recommended questions for the same title, however have had no luck.
Any help would be greatly appreciated.
Upvotes: 0
Views: 640
Answers (1)
Reputation: 57650
Don't put it in a publicly accessible path like http://www.mysite.com/uploads/. Put it outside htdocs and only allow access through your view.php
If you want to give download facility to the owner just create adownload.php that checks permission same way as view.php but instead of viewing it lets the user to download.
Upvotes: 2
Related Questions
- Secure way to store files in web server?
- Password protected directory and files in PHP
- Best way to store sensitive data
- Method for secure user sessions/encrypted access to user specific files/folders?
- How can I protect files in a folder in a PHP site?
- How to protect a directory and/or certain files in an extremely secure manner?
- How to make files and folders more secure?
- protect users' file being accessed so only owner can access?
- How to securely upload and store user documents?
- How to password protect a directory but still give users access