Uploading files and keeping them safe

Question

I'm using php and MYSQL. I've created a members area where people can upload important images (basically for financial record). I was hoping to get some advice as to the best way to store these files. What kind of folder structure would be best? Ex domain.com/Files/UserName/RandomGeneratedName/Files.

Also any advice for chmod, .htaccess, .htpassword and any kind of password protection with php.

Thanks in advance.

Answer 1

I would recommend to store them outside the tree. In this way, by default you need to enable access to them, not disable access (just in case you have a bug in your .htaccess/config/code, the access to the files is disabled, not enabled)

Second, get rid of the random directory, it doesn't add much to the security, but it complicates the implementation unnecessarily

You can use php to check the member credentials, put the appropriate headers (mime type for ex., etag, etc.), and serve the file via passthru or something similar.

Answer 2

you could .htaccess for URL Rewriting and get the index.php file (write this code: ) in folder that save your files, so when anyone want to enter this folder: First: he dont know real address second: due there is a index.php that offer to home page he could not enter.

Answer 3

Best way:

• protect the directory with .htaccess
• add an index.html to directory "just in case"
• use random file names to store them in your directory
• use php/mysql to check if user has access rights to your files

example: You have a file in domain.com/protecteddir/sdjasdu83299sdnYUsb.dat

You can use php/mysql to send to user to a virtual directory to download the file. You can throw the correct file header + file name via php. So even if the file is called sdjasdu83299sdnYUsb.dat the user would download it as "myfinancial.doc"

The user will never know what the real file is located nor its name.

Your .htaccess file should contain:

<Files *>
Order Allow,Deny 
Deny from All 
</Files>