|
|
Posted by Peter Fox on 12/17/05 10:36
Following on from Iain Napier's message. . .
>I'm in the middle of developing a website with a downloads section.
>It's a wad of educational software for an LEA which for obvious reasons
>needs password protecting. Users have to authenticate before being
>allowed to search and getting a link to the download.
>
>Don't want the users to get at the files without logging in first, so I
>created a script (filedownload.php) that adds the filename to the URL
>query string (e.g., filedownload.php?file=file1.zip)
>
>filedownload.php then simply prepends the full name of where the files live:
Fine (when set to point outside the web root) so long as you know that
your security model is "the key's under the mat". Ie. the you can't
revoke permission to a single user, and you've opened up the complete
archive to all users.
BTW here is your starter for 10.
How steps should you take to stop somebody trying to access the php
sources by trying out a few possibilities like
"filedownload.php?file=../www/filedownload.php"?
--
PETER FOX Not the same since the bottom fell out of the bucket business
peterfox@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>
Navigation:
[Reply to this message]
|