-2

Example: if we hit the link of any document then we can easily download it. for example backup.sql inside the backup folder of the website then we can download it by hitting URL www.example.com/backup/backup.sql

I don't know which type of document the client will store there but obviously, it can be confidential that is why it is not shareable to all.

working: now I am creating a certain document management tool where we can upload a document and download the document and can assign to users who can download that document but while creating I got the idea that anyone can brute force that folder just hitting URL with random names. backup.sql, database.sql and so on. I am using URL myself to make the document downloadable should I go with get_file_content()?.

I want to know if there is a way to download the file in a secure way example only the user that is logged in into my website can only download the file.

something like via htaccess or something else I can block the files directory from outside access. only the logged-in user can download the file and it will be blocked by outside access so that nobody can brute force it. I know I can block it via htaccess but I want them to download too but only for the users of my website.

Sayed Mohd Ali
  • 2,156
  • 3
  • 12
  • 28
  • 1
    Dont put secure docs below the DocumentRoot. Place them above or at the same level as the DocumentRoot – RiggsFolly Jul 16 '19 at 13:54
  • @RiggsFolly I didn't get it? how it will help me if I put the document in root directory? – Sayed Mohd Ali Jul 16 '19 at 13:56
  • 1
    NO, I said DONT put those docs BELOW the DocumentRoot, place them above or at the same level. Then only your Code can access them. So you have control over WHO accesses them – RiggsFolly Jul 16 '19 at 13:57
  • okay you mean I should create an upload folder parallel to my root folder and put the documents there. then I can control it who can download those files. okay let me check out. nobody can access? upload folder outside root folder of my website? – Sayed Mohd Ali Jul 16 '19 at 14:02
  • Yes... Parallel to your DocumentRoot (Apache term for the **htdocs** or maybe **www** folder normally) **Note** I am not talking about the Unix `root` folder – RiggsFolly Jul 16 '19 at 14:04
  • yes got it. so when user uploads the file it should be uploaded there parallel to root and for the download link I should give the backtrack URL example current directory root then download URL will be ../upload/backup.sql – Sayed Mohd Ali Jul 16 '19 at 14:06
  • 1
    Well I would write a little `php` to get the file ONLY if the user is logged in or matches whatever criteria. Then you put the php script as the download link `Filename` for example – RiggsFolly Jul 16 '19 at 14:08
  • if the outisde users cannot access the folder parallel to root folder then what is the use of download.php script? – Sayed Mohd Ali Jul 16 '19 at 14:10
  • That IS ALLOWED to access the folder containing the docs – RiggsFolly Jul 16 '19 at 14:11
  • then what is the use for the script? I know I can prevent the user from downloading via my download URL page. I want to prevent them from directly accessing the folder. so they can't brute force the folder documents. I can easily remove the download button if they are not logged in from download page. – Sayed Mohd Ali Jul 16 '19 at 14:13
  • They cannot directly access the folder if you have it outside of the web root directory. Only your script will be able to access it. So, in the script, verify the user had access to the file requested before downloading it. Your download script will need to read the file contents out output it to the user with the correct content headers, etc. – MER Jul 16 '19 at 14:18
  • See [here](https://stackoverflow.com/questions/4345322/how-can-i-allow-a-user-to-download-a-file-which-is-stored-outside-of-the-webroot) – MER Jul 16 '19 at 14:21

1 Answers1

-1

maybe you should use "x-accel-redirect" for Nginx, and "X-Sendfile" for Apache.

Gallyamov
  • 162
  • 2
  • 9