8

What I'm Doing:

I basically need to create a website secured by a login page written in PHP that once logged in, you have a search bar that reads integers and the data is sent to a PHP script that retrieves an image with the number as its name.

(I'll be storing a few thousand images on this server to be searched - inventory images)

-

What I need help with:

From my research, I understand that you "don't" use databases such as MySQL to store actual images because of speed and inefficiency. If you don't store it in a database, and you leave it on the server's file system as suggested, if someone types a direct URL into an address bar, wouldn't it bring them to the files on my server?

How do you protect against this. I wan't no files on my server to be viewable without successfully going through the login page.

Thanks for any help, any insight or suggestions would be appreciated. This is important for me because more complex information will be added in the future.

DMor
  • 770
  • 2
  • 8
  • 17
  • 2
    You can have a directory that isn't accessible via HTTP and you can use a php script that checks whether user is logged on and if yes, reads the file from the specified directory and outputs it. – N.B. May 10 '12 at 08:19
  • I've read to leave a file outsite the "public_html" folder. Would that make it completely inaccessible from http? How would my php script have access to the files, then? – DMor May 10 '12 at 08:21
  • `public_html` is usually the directory from which the files are served, when using Apache with cPanel. That means when you type `http://yoursite.com`, the data is being pulled from `/var/www/username/public_html`. That also means that whatever you type in the URL, `/var/www/username` is **not** accessible. It also means that a directory that you'd create there, such as `/var/www/username/files` would also not be accessible. From your PHP script, you'd access it with something like `file_get_contents('/var/www/username/files/imagename.extension`);`. – N.B. May 10 '12 at 08:31
  • php has access to any file on the server (depending on permissions) it is not restricted by the web root –  May 10 '12 at 08:31
  • Alright, thanks both of you, now I know how to store my files. Should I be using a database to store file paths, or should I just ignore databases completely? hardcoding the path, with a variable holding place for the input (the name of the image)? – DMor May 10 '12 at 08:36
  • I personally save file information to the DB. – N.B. May 10 '12 at 08:40

3 Answers3

6

A recommended way of handling file downloads via PHP (or any other script) is by using the so called 'X-Sendfile' response header.

The PHP script handles the authentication and once validated it will set a few response headers together with an 'X-Sendfile' that tells the web server to deliver a file; the script ends and the web server takes over.

See here for a simple example:

http://www.jasny.net/articles/how-i-php-x-sendfile/

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
1

this may be overkill for your situtation, but this is how i am thinking about doing it on an app i am developing:

first, there are 4 servers, a web server, a middle ware server, and a data server

when someone sends a request to the web server, the web server connects to the middleware server and requests the file, passing along the user credential like a session key and the file requested. the middleware connects to the db and validates the session adn that users privileges to that file. it will return either an error, or the binary data if they have access. if you turn off output buffering on both the web server and the middleware server, you can send 100k blocks from the middleware server to the web server, and the web server will output the first block while it's receiving the second block.

the file itself can be stored on the database server via ftp, sftp, or other filesharing

it's definitely not as efficient as using x-sendfile, but if someone is able to pwn your web server, they will still not have access to the file - in the scenarios above, they would. the web server is the only public server, so the rest of the servers should be connected on a private network.

you can also send the data to an encryption server that will encrypt/decrypt the actual file data

if anyone has any ideas on how to improve on this, i am interested.

macdabby
  • 196
  • 1
  • 8
  • Interesting, but this is definitely more complex than I need (but it is interesting to read). I honestly didn't know about .htaccess at that time and that it can block viewing a whole folder. I already implemented this. I have an HTML login form that takes the data, sends it to a processing script that validates the user, which if validated, sends the user to a search page. the user enters an Item # and is sent to another processing script which accesses a database with the number as the Primary Key, holding a file path and other info. If it exists, it pulls the file path – DMor Aug 13 '12 at 06:53
  • the folder of images is protected by .htaccess ("DENY FROM ALL"). I also use an SSL and store the other info regarding the image in a MySQL db – DMor Aug 13 '12 at 06:54
0

you can do it this way write a resource serve in php like this

image.php?requestid=.....

in that file you get requestid and read actual link(local link) from database, read image file then output data to browser

$id = $_GET['requestid'];
$link = get_local_link_from_id($id);  // return /images/file1.png......
$data = file_get_contents($link);
header('Content-Type', 'image/png');
echo $data;

But i think you should not do that, just rename file randomly and create a lot of them....

James
  • 13,571
  • 6
  • 61
  • 83
  • They need to retain the original number, it isn't my system, but as requested by the person who hired me. And this is secure enough? as long as my PHP script filters requests, correct? – DMor May 10 '12 at 08:29
  • GET is never secure, even POST too may not be enough for security. – ilhnctn May 10 '12 at 08:31
  • @ilis - what's the point of your comment? GET and POST are the methods used by HTTP, they are "insecure" only if misused when interpreting the user input. – N.B. May 10 '12 at 08:39
  • @N.B. i think i wont be enough to explain the the point about insecureness of them for the moment. but i will turn here back in a short while with full details(in a few days) – ilhnctn May 10 '12 at 08:44
  • 4
    What's there to discuss? The only way to pass data using HTTP is using GET/POST (in current context). You're saying they're insecure. No, they're not insecure. What's insecure is **how you interpret** that data, much like with any other protocol out there. There's nothing wrong with protocol or the two mentioned methods. Please don't post misleading comments. – N.B. May 10 '12 at 08:48