|
|
Posted by Mike P2 on 05/25/07 20:04
On May 25, 2:36 pm, Karl Cox <kcox7...@yahoo.com> wrote:
> Hi, the PHP manual says that there are three separate sets of users
> that the chmod funtion recognizes: the owner of the file, the group
> that the owner is in, and everyone else. How does the server keep
> track of who created the file? I don't see how this could be managed
> with cookies or by tracking ip addresses.
>
> Also, how do I create user groups for chmod to recognize?
>
> The project I am working on involves users uploading files to a single
> directory on the server. The MySQL database keeps track of who
> created which file (based on the file's name and the user's username)
> and only allows the users to view files they created. My problem is
> that my php script only lists the user's files, but when they are
> viewing a file, the user may easily change the url to the name of a
> file they are not authorized to view, and then successfully view it.
> I have no idea how to secure this system, other than using the chmod
> function.
>
> -Karl
CHMOD (change-mode) is for UNIX based servers, and the PHP chmod()
function is basically for when you are writing scripts for deployment
on them. UNIX (and others based off it, like Linux) have a built-in
authorization system to control who has access to each file. These
users are not users who would log into your website, but rather users
who would log directly into your server (by FTP, SSH/telnet, etc) and
for scripts to run as. PHP runs as a user (or as you if you are using
the CGI build), and you log in as yourself when you connect through
FTP.
What chmod() does on these servers is change what access (read, write,
execute) each user has as they are related to the file (owner, group,
anyone). This would be used in PHP to programmatically change who can
do what to files, such as setting an image file to only be able to be
edited or removed (write) by the PHP script, and only read by the UNIX
group (UNIX users are assigned to groups so you can allow file access
based on groups) while anyone who is not the same user and is not in
the same user group as the file owner (anyone else) cannot have any
access to the file. This is mostly for controlling basic file
security.
So chmod() will not help you in your case, as the users you are
dealing with are not UNIX users but website users. It's completely
unrelated. You wouldn't want to make those website users UNIX users
anyway since that would be so they can log into the server and access
files by FTP or whatever, not using your website.
You have to write your own code to handle who can access what file.
Here's a basic idea, which would be part of the file view page:
-Save images into a folder that no one can access on the internet, you
can use those UNIX file access things to deny access to anyone other
than the file owner (which will be whatever PHP runs as)
-The file view page is a .php script that takes an URL variable to
decide what image to display, such as: viewimage.php?image=sharks.gif
-The PHP script in that page checks the database to see if the
currently logged in user (use whatever code you use to see if they are
logged in, such as checking the cookie or session) has access to that
file
-If they don't have access, continue the script with a different file
name. You can do something like $_GET['image'] = 'nogo.gif';
-Use code to make sure the image file name does not contain slashes or
stuff that they could use to access a file that you don't intend them
to. You can do this earlier in the script if you prefer.
-Use the PHP header() function to send the Content-type header to the
browser (to tell it that this is an image and what type of image it
is). Use code to find the appropriate Content-type header to send
based on the file extension
-Use readfile() to feed out the image to the browser. If your
inaccessible directory is "images", it might look like:
readfile( 'images/'.$_GET['image'] );
Make sure to write secure code! If you're not careful, this will be
open to file system hacking and SQL injection at the same time. Make
sure to mysql_real_escape_string() the URL variable as well as make
sure it's clean for the directory (no slashes or anything).
You can use this same technique for any file type. Just make sure you
are careful with the file extensions, if you are using an upload
script and they upload a .php file instead of an image, it might be
possible for them to run that PHP file instead of downloading it (by
going directly to it).
That nogo.gif image I put in there would be just an image that has
text that says, "You don't have access to this image!" to be displayed
instead when appropriate.
-Mike PII
Navigation:
[Reply to this message]
|