files and folders must be accessible by logged in users .How to secure files from unauthorized access

Question

i am building a basic filemanager just for learning purpose.

how this sytem works: 1.user registration. while user fill registration form a directory created with a unique name. this name also store in database. 2.User login and access files and folders created by user.

but i faced a problem here. if anyone know the name of folder name and file paths (Can get from URL).

I want to make it secure. only loggedin user can access these files and folders (Who create the folders and files). Register.php file :

<?php
 if(mysql_query("INSERT INTO user (UserId,FirstName,LastName,UserDirectory,Email,Password,Gender,dob,ipaddress,dateTime) VALUES('$userid','$fname','$lname','$dir','$email','$upass','$gender','$dob','$ipaddress','$datetime')"))
   {    mkdir("file/$dir");
   mkdir  ("file/$dir/");

    header("location:dir.php");
   } ?>

dir.php file

<?php
session_start();
include_once 'dbconnect.php';

if(!isset($_SESSION['user']))
{
    header("Location: index.php");
}
$id = $_SESSION['user'];
//echo $id;
$res=mysql_query("SELECT * FROM user where UserId = '$id' ");
if(mysql_num_rows($res) > 0){ // if one or more rows are returned do following

            while($result = mysql_fetch_array($res)){

            ?>
<?php { { ?>


            <?php //path to directory to scan
$directory = "file/$mydir";

//get all files in specified directory
$files = glob($directory . "*");

//print each file name
foreach($files as $file)
{
 //check to see if the file is a folder/directory
 if(is_dir($file))
 { ?>
  <a href="<?php echo $file; ?>"> <br><?php echo $mydir; ?> </a> <?php
 }
}?>

so if a user loggedin can easily access other users file by just type the file path. Means personalised folders and files on lye creator of a file or folder can edit/ view files . Request : this system is just for only learning purpose and i just want to learn this task. so if you dont have solution related this please dont comment about mysqli and PDO Comments. Thanks in Advance :)

If you want to make it secure ditch mysql_* that's the very first thing to do. — e4c5, Dec 27 '16 at 10:28
Having done that, store files off the root folder of the website and then use fpassthrough to send the file — e4c5, Dec 27 '16 at 10:29
As said by @e4c5, prefer use [mysqli_*](http://php.net/manual/en/book.mysqli.php) functions or [PDO](http://php.net/manual/en/book.pdo.php), but avoid mysql_*. — Anthony, Dec 27 '16 at 10:32
I'm not really sure to understand your problem, but your freshly created directory should be accessible only from dir.php. So an .htaccess should prevent anyone to access inside. Also, in dir.php check your user is the only authorized one. — Anthony, Dec 27 '16 at 10:44
every loggedin user create own directory . i want this directory only accessible by creator of this folder. other loggedin user should not access thease directory/files . @AnthonyB — Utam Sharma, Dec 27 '16 at 10:47
"this system is just for only learning purpose and i just want to learn this task. so if you dont have solution related this please dont comment about mysqli and PDO Comments." — Why are you learning an obsolete API? It's dead so it isn't useful for learning purposes. — Quentin, Dec 27 '16 at 11:02
Can u please share the similer question ? Because you marked it as a duplicate . And anyone who don't know answers who just comment use mysqli, PDO blah blah ...... I can read first comment about this so why everyone post these comments . Specially the guys who don't know the solution. Anyway I like to know original question please share the link @Quentin — Utam Sharma, Dec 27 '16 at 14:18
@UtamSharma — Try looking at the massive yellow box box at the top of of the page … and taking warnings about obsolete APIs seriously. — Quentin, Dec 27 '16 at 14:19
I can't find any link of the original question . Will you please share link in comment . Thanks @Quentin — Utam Sharma, Dec 27 '16 at 14:23
Do you really thinks both questions are same. I think you have to read my question again . @Quentin — Utam Sharma, Dec 28 '16 at 01:01

Anthony · Accepted Answer · 2016-12-28T08:04:36.763

2

You are creating folders, but if someone knows the URL it can access to it. What you could do is allow access only using dir.php. By doing it, you can check at any moment who is accessing the folder.

If a user john has a folder /file/john it should not access it directly as it could do using a file manager on a desktop. It's necessary to access the file using your PHP file.

So, in /file/.htaccess you can write Deny from all to deny everybody to access it via Apache. Then, in dir.php you can use a GET parameter to choose the folder to display. If anyone try to acess dir.php?folder=john (only an example) the following things are necessary :

Get the owner in database of /file/john if it exists
Get the logged in user

If these two users are the same person, allow access, otherwise deny.

If you have the user id saved in session, you can do something like that

//$idOfFolderOwner is the id in database of folder owner 
if ($_SESSION['idUser'] === $idOfFolderOwner) {
    //User is allowed 
} else {
    //User is not allowed
}

Also, be careful with uploaded file to avoid security issue. One example, if john uploads .htaccess containing Allow from all in /file/john/ it will override your own .htaccess.

edited Dec 28 '16 at 08:04

answered Dec 27 '16 at 10:58

Anthony

2,014
2
19
29

It's a very good solution . Is there anyway for so this using sessions . Thanks . @AnthonyB – Utam Sharma Dec 28 '16 at 01:05
1

@UtamSharma If your user is logged in you've probably saved it in session. So in `dir.php` you can use this session to check the user. – Anthony Dec 28 '16 at 07:05
if i do this every logged in user can access all folders. but i want to do this personalized manner. user can upload their personal their personal files and only access for owner of files / folders. exactly like dropbox. you upload your files and only you can able to access your files and folders. @AnthonyB – Utam Sharma Dec 28 '16 at 07:57
1

I've added an example, you can check with session if user is the owner of folder. If not, reject him. – Anthony Dec 28 '16 at 08:05
where should i place this code ? in dir.php ? @AnthonyB – Utam Sharma Dec 28 '16 at 08:08
1

Yes. You should doing this check before allowing user to get or view any folder/file. So in dir.php add this verification. – Anthony Dec 28 '16 at 08:10
Thank you very much. @AnthonyB – Utam Sharma Dec 28 '16 at 08:18
@AnthonyB What's the difference between creating a .htaccess and setting it to Deny from all and setting chmod() to 0600? – I try so hard but I cry harder Jun 14 '20 at 22:06

files and folders must be accessible by logged in users .How to secure files from unauthorized access

1 Answers1