Creating a Secure File Hosting Server for PDFs

Creating a Secure File Hosting Server for PDFs

Put the files outside of the webroot. Then using PHP pass the file though a script. That way no one can link to the file directly and bypass your controls. (Naturally make sure the script that does this only after verifying the user has permission to retrieve that file).

Sample PHP:

<?php
    session_start();
    if (!isset($_SESSION['authenticated'])) {
        exit;
    }
    $file = '/path/to/file/outside/www/secret.pdf';

    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename=' . basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
    exit;
?>

storing pdf files on server securely

  1. You need to store the files somewhere outside your website root like mentioned by Dagon. When file is uploaded use move_uploaded_file to move it. You can name the file anything you want (within OS limits) and keep the real name in the database.
  2. Then when the user has payed for the books, add the books the user has payed for to a table in a db.
  3. Give the user a list of all the books he has payed for like: /download/filename.pdf
  4. Add a mod_rewrite if you use Apache (or equivalent for other web servers) where /download/.* is redirected to download.php or a controller.
  5. On the download page, check if user is logged in and has access to the file. If not, redirect to purchase page for that book.
  6. If download is ok set header for the http status you need: Content-Length, Content-Type, Date, Status (200), maybe Content-Encoding.
  7. Use readfile to output the file to the end user.

Securing PDFs in a webserver from public access

If you have an index.html file that will prevent the directory contents from being listed by the server. Now, you have to worry about people guessing the file names of your files. You can store them by cryptic names. Take a look at hash functions to generate random strings.

When you let a user download a file, you should use a PHP script to read the contents of the file and send a correct MIME header. You should not link directly to the cryptic names, to keep these names a secret. The PHP script can then do the correct validation of the users.

But first you should check if your host allows you to put files in a folder that is not publicly available. If you can store the files in a non-public folder you're in good shape.

How do you lock down & secure files stored on server in ASP.NET?

First, do not use the name of the file in the query string. Use some other identifier; preferably a non-guessable id. One example is a base 64 encoded guid.

Second, the viewpdf.aspx file should implement your security model to test whether the user who is accessing the link is authorized to view the file.

Third, you might consider storing the actual file somewhere else. SQL 2008 has a FILESTREAM data type which can push the actual file data to a file system folder and seems to work pretty well.

Secure PHP File Upload Script

a late response, but i think your script should be based on this:
http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/

it covers all aspects of security and explains all valid points. I hope this helps.

EDIT: The above link is dead, here is a cached version of that article.

Secure way to store files in web server?

Don't store them in a database. Put them in your web directory and secure them using .htaccess.

If you want to authenticate via other means, then store the files in a directory that isn't web-accessible but is readable by the user php runs as.

Uploading PDF or .doc and security

As I commented to Aerik but it's really the answer to the question.

If you have PHP >= 5.3 use finfo_file(). If you have an older version of PHP you can use mime_content_type() (less reliable) or load the Fileinfo extension from PECL.

Both of these functions return the mime type of the file (by looking at the type of data inside them). For PDF it should be

text/pdf

For a word doc it could be a few things. Generally it should be

application/msword

If your server is running *nix then make sure the files you're saving aren't executable. Even better: save them to a folder that isn't accessible by the web server. You can still write code to access the files but someone requesting a web page won't be able to access them at all.


Related Topics

Get Last Word from Url After a Slash in PHP

PHP Fopen() Error: Failed to Open Stream: Permission Denied

In Simplexml, How to Add an Existing Simplexmlelement as a Child Element

Html2Pdf in PHP - Convert Utilities & Scripts - Examples & Demos

Strpos() with Multiple Needles

How to Destroy Session with Browser Closing in Codeigniter

Pdo Mssql Server - Driver Not Found

PHP Greater Than Certain Time

Import Class Conditionally with the Keyword 'Use'

Do Github Pages Support PHP

How to Send Https Posts Using PHP

Pdo Bind Unknown Number of Parameters

Http Auth via PHP - PHP_Auth_User Not Set

Php: How to Add Leading Zeros/Zero Padding to Float via Sprintf()

Html5 Input Type File's Multiple Attribute Not Working in Ie

How to Set Base Url for All Pages of My Website

PHP Dynamic Db Page Rewrite Url

How to Format a PHP Include() Absolute (Rather Than Relative) Path


Leave a reply



Submit