Re: How To Limit FIle Uploader Against Hijackers?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Nitsan Bin-Nun wrote:
Hi

I have wrote a file uploader in PHP, and I don't want people to hijack it
(get direct links, download whenever they want, etc).

Currently I have placed the uploaded files one directory up from the www
root, and I'm hosting the files mime type in order to serve them on the fly.

I'm trying to think how should I secure this website, I don't want people to
get direct links,etc.

Currently the links are being check with the $_SERVER['refer'] variables and
it being compared to the one in my config file.

Any ideas will be very appreciated! Thanks!


By the way, does this file serving feature takes a lot of load from the
server? if so then what are the other options? can I serve these files w/o
PHP involved? lets say only by some sort of apache module or anything like
that?


What I do -

Files for restricted access are outside the web root.
php wrapper script verifies the credentials of user to download the file (IE via a post token, session ID, etc.) and if allowed, it then sends the real file.

I use mod_rewrite (apache) to send requests for the real file to the php wrapper script so that the linked file has the same name as the real file (lets me use the same wrapper for lots of different files).

As far as load on the server, no - I don't think it costs a lot as far as system resources.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux