Posted by Balazs Wellisch on 12/30/05 07:13

>> > 2) Once 1 is done, how, when they log back on (authenticated with SQL
>> > which will keep up with their username), do I allow them access to
>> > their files for download? I would like to use Linux file permissions
>> > to try and have some sort of security (i.e., would like to store users'
>> > files under /home/[user]/files), but how do I allow the PHP script to
>> > securely access their files, when the script runs under the Apache uid?
>> > Is this a job for suExec?
>> >
>>

I think it would be much simpler and just as secure to store the files
outside the web root and use a script to retrive them based on information
in a database table. So you're HTML in case of an image would look something
like this:

<img src="fileserver.php?userId=XXX&fileID=XXX">

Then the script "fileserver.php" would look up the appropriate details for
the file including its mime type and return it to the browser. It would also
be responsible for authenticating the request based on the userId. For added
security the userId can either be encrypted or stored in the session so it
doesn't have to be passed in on the URL.

Balazs

[Back to original message]