Results 26 to 36 of 36
-
11-05-2006, 10:28 PM #26Web Hosting Master
- Join Date
- Nov 2001
- Location
- Vancouver
- Posts
- 2,422
Not knowing how you plan to structure your tables, one thing I'd be concerned about with:
Is that users can just muck with the file ID
So as long as your logic makes that sort of manipulation fruitless.... here's an example of a simple approach (chances are you are already down this road, but just in case I've spelled it out here) - assume you have database tables:
Code:Person id first_name last_name ... Document id person_id volume path
Code:SELECT * from document d, person p WHERE d.person_id = p.id AND d.id = 132
“Even those who arrange and design shrubberies are under
considerable economic stress at this period in history.”
-
11-05-2006, 10:42 PM #27Web Hosting Master
- Join Date
- Nov 2005
- Location
- USA
- Posts
- 884
thank you mwatkins. This is what I was going to do but in two qeries, first match the id of the user then the file, but your solution is way better than what I was going to do as it is more controled.
Is it worth paying a company to test its security to see if they can break it.... is there such thing? (once implemented)GS RichCopy 360 Enterprise - Voted #1 for data migration and replication in terms of performance and features. Replicate data across between servers in the same network, WAN, or even across the internet - Many customer call it RSync for Windows
-
11-05-2006, 10:48 PM #28Web Hosting Master
- Join Date
- Mar 2006
- Posts
- 984
As 'two' other alternative solutions, here's what you can do to amplify your masking:
1 - Rather than adding the file's ID into your query (since, it's true, users could simply manipulate your downloads by playing with the ID numbers from the URL bar - which is not recommended), you could always specify the filename itself (not the full path but simply the document's filename) + urlencode it.
2 - Create a global user session function that will allow, for each of your users to download 'as per selectively set' from your builted list you could create. This technic would allow you to specifically set downloads towards user accounts you would only wish to download. From there, as explained above my post, regarding the SQL statement, you could select the ID, from a POST query, and then add that variable into the WHERE statement + the user ID's info. That would pretty much be like it's being explained above.
Solution no. 2 sure would require massive time to hardcode this out. Althought, it is recognized as far more secured process than solution no 1. Solution no. 1 is simply more easier to code (especially if you're in a hurry) though.
-
11-05-2006, 11:13 PM #29Web Hosting Master
- Join Date
- Nov 2005
- Location
- USA
- Posts
- 884
hmmmm this is just getting better and better.
I like solution no. 2
I will have an access level in session declared. since it is a set number of files, I will have a button for each file that would do a post to a script which retreive the file accordingly. this way no one sees anything. Is this what you are suggesting horizon. A post form is much more secure than a Get form (I am pretty sure) so this way I would be very well settled. correct.?
Anything I should be concened about in a post form?GS RichCopy 360 Enterprise - Voted #1 for data migration and replication in terms of performance and features. Replicate data across between servers in the same network, WAN, or even across the internet - Many customer call it RSync for Windows
-
11-05-2006, 11:20 PM #30Web Hosting Master
- Join Date
- Mar 2006
- Posts
- 984
I will have an access level in session declared. since it is a set number of files, I will have a button for each file that would do a post to a script which retreive the file accordingly. this way no one sees anything. Is this what you are suggesting horizon.
This is what I'm currently doing from my end so that specific users would have the ability to click on a URL link that would allow them to follow specific instructions (for my case). As for your case, it would simply allow them to allow your documented information.
A post form is much more secure than a Get form (I am pretty sure) so this way I would be very well settled. correct.?
Anything I should be concened about in a post form?
-
11-05-2006, 11:53 PM #31Web Hosting Master
- Join Date
- Nov 2005
- Location
- USA
- Posts
- 884
Originally Posted by horizon
Theoricly, yes. However, handling your queries correctly would still be a priority when checking the required infos that requires downloading for such documentations. Althought, I think you would be the judge on that.
Which brings my next recommendation through here. Make sure to code out your PHP queries correctly. I could, as several others could, help you out on this if you require further assistance for tracking the infos correctly.GS RichCopy 360 Enterprise - Voted #1 for data migration and replication in terms of performance and features. Replicate data across between servers in the same network, WAN, or even across the internet - Many customer call it RSync for Windows
-
11-06-2006, 12:12 AM #32Web Hosting Master
- Join Date
- Mar 2006
- Posts
- 984
What do you mean... the files will be updated once a month, (overwritten). Sessions will time out in 15 minutes. Is that what you are talking about
Queies will be done very carefully.... I will do it as mwatkins where the query will look for file with the access level and doc id in sql, if there is a match then it is served.
please elaborate on this one.... just so I know what you are talking about a little more.
Anything I should be concened about in a post form?
-
11-06-2006, 12:22 AM #33Web Hosting Master
- Join Date
- Nov 2005
- Location
- USA
- Posts
- 884
as for assistance, you all have been way better than expected, and do not worry. I will let you know due to your expertise, kindness, and helpfullness.
Oh ! and one more thing I forgot to add, very important; since this is about file download and you wish to do it from an HTML form that is being targeted to a PHP file, make sure to add the multiform-data to your form.
it will be 11 butons for example, each one is coded with hidden value that is posted to download.php which would know what to do. or am I on the wrong track?GS RichCopy 360 Enterprise - Voted #1 for data migration and replication in terms of performance and features. Replicate data across between servers in the same network, WAN, or even across the internet - Many customer call it RSync for Windows
-
11-06-2006, 08:35 AM #34Web Hosting Master
- Join Date
- Mar 2006
- Posts
- 984
it will be 11 butons for example, each one is coded with hidden value that is posted to download.php which would know what to do. or am I on the wrong track?
Here's an example of what I meant:
regular form expression:
Code:<form action="your_file.php" method="post"> <input type="hidden" name="your_action_name" value="your_variable_name"> ... and so on ...
<form method="post" action="your_file.php" enctype="multipart/form-data" onsubmit="uploadbutton.disabled=true;">
-
11-06-2006, 11:54 AM #35Web Hosting Master
- Join Date
- Feb 2003
- Location
- AR
- Posts
- 2,382
Once again, you are absolutely incorrect here horizon. You use the multipart/form-data enctype when the script is handling file uploads. That's all that it is used for. It really has no place in this form, since this form is just posting information to another script.....
http://www.w3.org/TR/html4/interact/...ml#h-17.13.4.2
-
11-06-2006, 11:59 AM #36Web Hosting Master
- Join Date
- Nov 2005
- Location
- USA
- Posts
- 884
just to be clear... the button is supposed to go to a script that would download the form and not upload it. the user can only download files that are assigned to him, will not upload anything
GS RichCopy 360 Enterprise - Voted #1 for data migration and replication in terms of performance and features. Replicate data across between servers in the same network, WAN, or even across the internet - Many customer call it RSync for Windows