Allow access to particular file in PHP

Question

In my project, user will upload a pdf file. That will be stored in a directory named 'uploads' with name $_SESSION['userId'].".pdf". Now user can access the file using 'myweb.com/uploads/id.pdf'. But when the user change id value in url bar of browser he is able to access other user's file. To prevent it, istead od a link I would like to use a form to post $_SESSION['userId'] with hidden type to next page. In the next page will be redirected to the file using the posted id. Is this idea okay? Or are there any better solutions?

Nope. Because does not help you if you just hide it from the URL. What if user check the source code? Think about an ajax download, or better, if send it to him in an email. — vaso123, Jul 12 '16 at 10:46
Check isset `$_SESSION['userId']` and compare that with the id in url — Sree KS, Jul 12 '16 at 10:47
@Sree yes, this would be my next suggession, what is obvious :) — vaso123, Jul 12 '16 at 10:48
You need to think about permissions - Before enabling the download, check that the client has permissions to do so (Create a permissions table in your DB, and attach specific file to specific user) For more info - http://stackoverflow.com/questions/4345322/how-can-i-allow-a-user-to-download-a-file-which-is-stored-outside-of-the-webroot — Alon Eitan, Jul 12 '16 at 10:48
Never keep sensitive information in the file names, instead give random file name with some auto increment number in file name and store in the DB against each record. — Shrikant Mavlankar, Jul 12 '16 at 10:48
no need to store the `SESSION` in a hidden input. already it is accessible throughout the site — Sree KS, Jul 12 '16 at 10:49
Id will be always the last part of url .You can split the url to achieve that — Sree KS, Jul 12 '16 at 10:57

score 2 · Accepted Answer · answered Jul 12 '16 at 11:22

In to the folder of PDF files you have to create .htaccess file and place following two lines in it.

Order Deny,Allow
Deny from all

This .htaccess file will not allow to access any PDF file directly from the browser. To allow to access PDF file to the logged in user create a PHP file downloadpdf.php and place following code in it. The logged in user will able to download his/her file only this way.

<?php
$pdf_file = "{$_SERVER['DOCUMENT_ROOT']}/path-to-pdf-file/".$_SESSION['userId']".pdf";
if( file_exists( $pdf_file ) )
{
  header( 'Cache-Control: public' );
  header( 'Content-Description: File Transfer' );
  header( "Content-Disposition: attachment; filename={$pdf_file}" );
  header( 'Content-Type: application/pdf' );
  header( 'Content-Transfer-Encoding: binary' );
  readfile( $pdf_file );
  exit;
}
die( "ERROR: invalid song or you don't have permissions to download it." );
?>

This is working fine. But this script is downloading the file. I need to just open the pdf file in browser itself. Any solution? — Hari, Jul 12 '16 at 11:44
Hello Hari, Please use following code to view file in browser. — Rahul Patel, Jul 12 '16 at 11:56

score 0 · Answer 2 · answered Jul 12 '16 at 10:48

0

If you don't want user to see the files of other user then you never expect result from the user from client side.

Store the data in session/database something and retrieve the value from it in case of restricted usage.

answered Jul 12 '16 at 10:48

Alok Patel

7,842
5
31
47

score 0 · Answer 3 · answered Jul 12 '16 at 10:49

0

Is it really necessary to assign id to the file name? Using id as a hidden field is still very much vulnerable.

Why don't you generate a filename with a unique ID for every user? You may add one more database field called uuid (char 36), if necessary. You can use uniqid() functino.

So, every time, instead of checking with the primary key id, you can store uuid in session and check accordingly.

answered Jul 12 '16 at 10:49

Indrasis Datta

8,692
2
14
32

So, the link will be like `view my file` right? then again the user can enter any random id and have a chance to view other user's file. – Hari Jul 12 '16 at 10:59
As per your requirement, can a user view only their file? If so, then we need to store the uuid in database and check this uuid with the currently logged in user. If it matches, you have the permission. – Indrasis Datta Jul 12 '16 at 11:01
Where should I check whether the requested file is assigned to currently logged in user? Should I make a new file and there, extract the uuid from the URL, check the database, if it is assigned then allow him to the link 'uuid.pdf'? Can you please give me a simple example? – Hari Jul 12 '16 at 11:13

score 0 · Answer 4 · answered Jul 12 '16 at 11:09

Better solution is Check isset $_SESSION['userId'] and compare that with the id in url

<?php
    session_start();
    $link = $_SERVER['PHP_SELF'];
    $link_array = explode('/',$link);
    echo  $page = end($link_array);
    $id = explode('.',$page);
    $userid = $id[0];
    if(isset($_SESSION['userId']) && $userid== $_SESSION['userId']){        
        // display file
    }
    else{
        //not authorized 
    }
?>

Allow access to particular file in PHP

4 Answers4