Re: .htaccess and user file/folder access outside public_html

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On May 25, 2013, at 13:38, Rafnews <raf.news@xxxxxxxxx> wrote:

> Hi,
> 
> i'm facing a problem and i don't know where to start and in fact, how to do it.
> 
> Situation:
> Users of my website should be able to save their resume files + cover letters on my webserver.
> 
> problem:
> how to make their file SECURED from any hack ? I mean only file owner and web administrator (so in this case... myself) should have access to those files.
> never user B should be able to access, read or download files of user A.
> 
> my guess:
> i was thinking to store files outside public_html folder, in the following way:
> 
> /resumes/user A/resume A
> /resumes/user A/cover letter A
> 
> /resumes/user B/resume B - US
> /resumes/user B/resume B - ES
> /resumes/user B/cover letter B
> 
> Questions:
> 1. how can i allow user to have access to folder/files outside public_html ?
> 2. how can i secure that user A has access to his own files ONLY ?
> 
> i searched on internet for some help but i did not find anything really revelent...only theory and no really in details.
> 
> I need your help.
> thx.
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


You will have to make a few scripts that check whether User A is logged in or not, read the files with PHP, change the default headers and print the output, which should be the exact same document. A quick example would be:

<?php
// file_exists also checks whether a directory exists
if (!empty($_SESSION['userId']) && file_exists(dirname(__FILE__).'/../resumes/'.$_SESSION['userId']) {
	// all the necesary headers, check out the documentation for header() function on php.net
	header('(all the needed headers)');
	echo file_get_contents(dirname(__FILE__).'/../resumes/'.$_SESSION['userId'].'/resume A.doc');
}

Above is basic pseudo-code, not tested. Now all you have to care about is that userId is correctly set and that nobody can hijack that user account.

Greetings.
-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux