Sort of - basically, Yes. With Apache, you can modify access rights. However, the PHP script does not need the folder to be in the DocumentRoot to access the files and feed them.
Example: DocumentRoot = /var/www/site/httpdocs FileDirectory = /var/www/site/files In your PHP, you'll tell it to go to /var/www/site/files/filename.ext and feed that, using whichever method as covered, here. PHP can feed files outside of the DocumentRoot. -Will On Tue, Sep 22, 2009 at 4:39 PM, Bob kane <[email protected]> wrote: > Yes but the folder i'm referencing in the php script has to be outside the > documentroot else someone can visit the files with a direct link right? > > > On Tue, Sep 22, 2009 at 3:29 PM, William Attwood <[email protected]> > wrote: > > > Hey Bob-- > > You don't need to map to a folder outside of the DocumentRoot. If you > > use PHP (server side execution) you reference that folder in your PHP > > script, and as Beau and Mac stated, just stream the data to the end user. > > This keeps everything secure. > > > > --Will > > > > > > On Tue, Sep 22, 2009 at 4:23 PM, Bob kane <[email protected]> > wrote: > > > >> ---------- Forwarded message ---------- > >> From: Bob kane <[email protected]> > >> Date: Tue, Sep 22, 2009 at 3:23 PM > >> Subject: Re: [UPHPU] Secure PHP file serving. > >> To: Beau Scott <[email protected]> > >> > >> > >> Thanks for the responses guys. Yeah it would not be okay for someone to > >> retrive the file if they know the link. I've just stumbled upon somthing > >> called open_basedir in php.ini that (i think) you can use this directive > >> to > >> map directories that are allowed to load files outside the web root. > >> Anyone > >> ever use this? I'm almost on my way though with these answers, much > >> appriciated. > >> > >> > >> On Tue, Sep 22, 2009 at 3:14 PM, Beau Scott <[email protected]> > wrote: > >> > >> > readfile() is the easier approach to this if you're not concerned with > >> > utilizing HTTP Content-Range headers ( > >> > http://us.php.net/manual/en/function.readfile.php). It writes the > >> content > >> > of > >> > the file directly to the output buffer, avoiding the memory limits > >> > altogether. > >> > > >> > However, if you're going to be serving even remotely large files, > You'll > >> > want to take a look at using Content-Range. This will allow clients to > >> > break > >> > downloads up into manageable sizes and/or resume downloads. The > browser > >> > will > >> > cache the downloads in chunks, remembering which portions have been > >> > downloaded. It will then fill in the pieces as it needs by providing > >> your > >> > script with a content byte range. E-Tag headers will also be highly > >> > beneficial for you here. (there's an example of how to handle E-Tag > >> headers > >> > in the readfile() user notes.) > >> > > >> > Here's a high-level example of byte serving: > >> > http://www.coneural.org/florian/papers/04_byteserving.php and there's > >> > another example in the readfile() user comments as well (search for > >> > SmartReadFile) > >> > > >> > > >> > Beau > >> > > >> > > >> > > >> > On Tue, Sep 22, 2009 at 3:56 PM, Mac Newbold <[email protected]> > >> wrote: > >> > > >> > > Today at 2:40pm, Andrew kain said: > >> > > > >> > > > Hello list, I am looking for the best way to serve secure > sensitive > >> > files > >> > > > uploaded to a PHP server. I only want authenticated users to be > able > >> to > >> > > view > >> > > > these files (jpg, pdf, etc). Usually anyone can view files > uploaded > >> to > >> > > any > >> > > > directory. I'm guessing the best way would be to upload the files > >> > outside > >> > > of > >> > > > the web root that way they are not directly accessable from the > web > >> > > server. > >> > > > My question is, what would be the next step? To authenticate the > >> > session > >> > > and > >> > > > mod re-write to direct the user to the secured area? Can anyone > with > >> > > > any experience with this please give some pointers? thank you much > >> in > >> > > > advance. > >> > > > >> > > There are a variety of options, as William Attwood explained. One > >> > > difference is whether it is okay for someone to be able to retrieve > >> the > >> > > file by knowing its link. One level of security is to turn off > >> directory > >> > > indexing (if necessary) and use PHP to ask for a password before > >> showing > >> > > them the links to the files. But once they have the links, they'd be > >> able > >> > > to request them directly. > >> > > > >> > > The path you mention above, of putting the files outside webroot, is > a > >> > > stronger solution. As you mentioned, you authenticate the session > >> first, > >> > > but I don't think you can rewrite them to the secured area because > it > >> is > >> > > outside the webroot. Generally the way you'd do this is by having > the > >> PHP > >> > > script hand the file back to the user rather than having Apache do > it > >> > > directly. > >> > > > >> > > The PHP script to hand off the file is pretty simple. Usually you'd > >> set > >> > it > >> > > up to check permissions and display an error or a login form if they > >> > don't > >> > > have access. If they pass the access checks, you use header() to set > >> your > >> > > HTTP response headers (controlling things like saving vs opening the > >> > file, > >> > > content type, caching controls, etc.), then you pass the contents of > >> the > >> > > file back. One way is fpassthru() but it turns out to be a memory > hog, > >> > > reading the whole file into memory before sending it out, which > means > >> you > >> > > often run into the 8MB default memory limit. Another way is to do it > >> > chunk > >> > > by chunk like so: > >> > > > >> > > $fp = fopen($path,'r'); > >> > > while (!feof($fp)) { > >> > > $data = fread($fp,1048576); > >> > > echo $data; > >> > > } > >> > > fclose($fp); > >> > > > >> > > As you can see, that one reads 1MB at a time. > >> > > > >> > > Thanks, > >> > > Mac > >> > > > >> > > -- > >> > > Mac Newbold Code Greene, LLC > >> > > CTO/Chief Technical Officer 44 Exchange Place > >> > > Office: 801-582-0148 Salt Lake City, UT 84111 > >> > > Cell: 801-694-6334 www.codegreene.com > >> > > > >> > > _______________________________________________ > >> > > > >> > > UPHPU mailing list > >> > > [email protected] > >> > > http://uphpu.org/mailman/listinfo/uphpu > >> > > IRC: #uphpu on irc.freenode.net > >> > > > >> > > >> > > >> > > >> > -- > >> > Beau D. Scott > >> > Software Engineer > >> > > >> > _______________________________________________ > >> > > >> > UPHPU mailing list > >> > [email protected] > >> > http://uphpu.org/mailman/listinfo/uphpu > >> > IRC: #uphpu on irc.freenode.net > >> > > >> > >> _______________________________________________ > >> > >> UPHPU mailing list > >> [email protected] > >> http://uphpu.org/mailman/listinfo/uphpu > >> IRC: #uphpu on irc.freenode.net > >> > > > > > > > > -- > > Take care, > > William Attwood > > Idea Extraordinaire > > [email protected] > > > > Jonathan Swift< > http://www.brainyquote.com/quotes/authors/j/jonathan_swift.html> - "May > you live every day of your life." > > > > _______________________________________________ > > UPHPU mailing list > [email protected] > http://uphpu.org/mailman/listinfo/uphpu > IRC: #uphpu on irc.freenode.net > -- Take care, William Attwood Idea Extraordinaire [email protected] Joan Crawford<http://www.brainyquote.com/quotes/authors/j/joan_crawford.html> - "I, Joan Crawford, I believe in the dollar. Everything I earn, I spend." _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
