Page 2 of 2 FirstFirst 12
Results 26 to 36 of 36
  1. #26
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,422
    Not knowing how you plan to structure your tables, one thing I'd be concerned about with:

    Is that users can just muck with the file ID

    So as long as your logic makes that sort of manipulation fruitless.... here's an example of a simple approach (chances are you are already down this road, but just in case I've spelled it out here) - assume you have database tables:

    Code:
    Person
      id
      first_name
      last_name
      ...
    
    Document
      id
      person_id
      volume
      path
    Then the query, where the person ID is known from the login session:

    Code:
    SELECT * from document d, person p
    WHERE d.person_id = p.id
    AND d.id = 132
    Will retrieve a document, while invalid queries (random malicious editing of the URL) will not.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  2. #27
    Join Date
    Nov 2005
    Location
    USA
    Posts
    884
    thank you mwatkins. This is what I was going to do but in two qeries, first match the id of the user then the file, but your solution is way better than what I was going to do as it is more controled.
    Is it worth paying a company to test its security to see if they can break it.... is there such thing? (once implemented)
    GS RichCopy 360 Enterprise - Voted #1 for data migration and replication in terms of performance and features. Replicate data across between servers in the same network, WAN, or even across the internet - Many customer call it RSync for Windows

  3. #28
    Join Date
    Mar 2006
    Posts
    984
    As 'two' other alternative solutions, here's what you can do to amplify your masking:

    1 - Rather than adding the file's ID into your query (since, it's true, users could simply manipulate your downloads by playing with the ID numbers from the URL bar - which is not recommended), you could always specify the filename itself (not the full path but simply the document's filename) + urlencode it.

    2 - Create a global user session function that will allow, for each of your users to download 'as per selectively set' from your builted list you could create. This technic would allow you to specifically set downloads towards user accounts you would only wish to download. From there, as explained above my post, regarding the SQL statement, you could select the ID, from a POST query, and then add that variable into the WHERE statement + the user ID's info. That would pretty much be like it's being explained above.

    Solution no. 2 sure would require massive time to hardcode this out. Althought, it is recognized as far more secured process than solution no 1. Solution no. 1 is simply more easier to code (especially if you're in a hurry) though.

  4. #29
    Join Date
    Nov 2005
    Location
    USA
    Posts
    884
    hmmmm this is just getting better and better.
    I like solution no. 2
    I will have an access level in session declared. since it is a set number of files, I will have a button for each file that would do a post to a script which retreive the file accordingly. this way no one sees anything. Is this what you are suggesting horizon. A post form is much more secure than a Get form (I am pretty sure) so this way I would be very well settled. correct.?
    Anything I should be concened about in a post form?
    GS RichCopy 360 Enterprise - Voted #1 for data migration and replication in terms of performance and features. Replicate data across between servers in the same network, WAN, or even across the internet - Many customer call it RSync for Windows

  5. #30
    Join Date
    Mar 2006
    Posts
    984
    I will have an access level in session declared. since it is a set number of files, I will have a button for each file that would do a post to a script which retreive the file accordingly. this way no one sees anything. Is this what you are suggesting horizon.
    Precisely. However, I'd still recommend to randomize your filename and set a certain timeout period for each created files on your FTP server. This way, it would avoid future / un-authorized users to download unexpected files.

    This is what I'm currently doing from my end so that specific users would have the ability to click on a URL link that would allow them to follow specific instructions (for my case). As for your case, it would simply allow them to allow your documented information.

    A post form is much more secure than a Get form (I am pretty sure) so this way I would be very well settled. correct.?
    Theoricly, yes. However, handling your queries correctly would still be a priority when checking the required infos that requires downloading for such documentations. Althought, I think you would be the judge on that.

    Anything I should be concened about in a post form?
    Which brings my next recommendation through here. Make sure to code out your PHP queries correctly. I could, as several others could, help you out on this if you require further assistance for tracking the infos correctly.

  6. #31
    Join Date
    Nov 2005
    Location
    USA
    Posts
    884
    Quote Originally Posted by horizon
    Precisely. However, I'd still recommend to randomize your filename and set a certain timeout period for each created files on your FTP server. This way, it would avoid future / un-authorized users to download unexpected files.

    This is what I'm currently doing from my end so that specific users would have the ability to click on a URL link that would allow them to follow specific instructions (for my case). As for your case, it would simply allow them to allow your documented information.
    What do you mean... the files will be updated once a month, (overwritten). Sessions will time out in 15 minutes. Is that what you are talking about

    Theoricly, yes. However, handling your queries correctly would still be a priority when checking the required infos that requires downloading for such documentations. Althought, I think you would be the judge on that.
    Queies will be done very carefully.... I will do it as mwatkins where the query will look for file with the access level and doc id in sql, if there is a match then it is served.
    Which brings my next recommendation through here. Make sure to code out your PHP queries correctly. I could, as several others could, help you out on this if you require further assistance for tracking the infos correctly.
    please elaborate on this one.... just so I know what you are talking about a little more.
    GS RichCopy 360 Enterprise - Voted #1 for data migration and replication in terms of performance and features. Replicate data across between servers in the same network, WAN, or even across the internet - Many customer call it RSync for Windows

  7. #32
    Join Date
    Mar 2006
    Posts
    984
    What do you mean... the files will be updated once a month, (overwritten). Sessions will time out in 15 minutes. Is that what you are talking about
    Yes, that is correct. Althought, I was not referring to your content itself, about the update, but about the filenames.

    Queies will be done very carefully.... I will do it as mwatkins where the query will look for file with the access level and doc id in sql, if there is a match then it is served.
    Close to all set.

    please elaborate on this one.... just so I know what you are talking about a little more.
    I was simply offering my assistance in case you'd require further help with PHP queries, since you asked:

    Anything I should be concened about in a post form?
    Oh ! and one more thing I forgot to add, very important; since this is about file download and you wish to do it from an HTML form that is being targeted to a PHP file, make sure to add the multiform-data to your form.

  8. #33
    Join Date
    Nov 2005
    Location
    USA
    Posts
    884
    as for assistance, you all have been way better than expected, and do not worry. I will let you know due to your expertise, kindness, and helpfullness.

    Oh ! and one more thing I forgot to add, very important; since this is about file download and you wish to do it from an HTML form that is being targeted to a PHP file, make sure to add the multiform-data to your form.
    What do you mean multiform-data.....

    it will be 11 butons for example, each one is coded with hidden value that is posted to download.php which would know what to do. or am I on the wrong track?
    GS RichCopy 360 Enterprise - Voted #1 for data migration and replication in terms of performance and features. Replicate data across between servers in the same network, WAN, or even across the internet - Many customer call it RSync for Windows

  9. #34
    Join Date
    Mar 2006
    Posts
    984
    it will be 11 butons for example, each one is coded with hidden value that is posted to download.php which would know what to do. or am I on the wrong track?
    Sorry for the late response. It's early here . . .

    Here's an example of what I meant:

    regular form expression:

    Code:
    <form action="your_file.php" method="post">
    <input type="hidden" name="your_action_name" value="your_variable_name">
    ... and so on ...
    multipart/form (not just form - sorry about that) :

    <form method="post" action="your_file.php" enctype="multipart/form-data" onsubmit="uploadbutton.disabled=true;">
    As you can see, the enctype has been added. I also added the option to decline multi-clickings (on the same form process) to avoid trafic and server ressources abuse.

  10. #35
    Join Date
    Feb 2003
    Location
    AR
    Posts
    2,382
    Once again, you are absolutely incorrect here horizon. You use the multipart/form-data enctype when the script is handling file uploads. That's all that it is used for. It really has no place in this form, since this form is just posting information to another script.....

    http://www.w3.org/TR/html4/interact/...ml#h-17.13.4.2

  11. #36
    Join Date
    Nov 2005
    Location
    USA
    Posts
    884
    just to be clear... the button is supposed to go to a script that would download the form and not upload it. the user can only download files that are assigned to him, will not upload anything
    GS RichCopy 360 Enterprise - Voted #1 for data migration and replication in terms of performance and features. Replicate data across between servers in the same network, WAN, or even across the internet - Many customer call it RSync for Windows

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •