File Management project

[NiKeFiDO]

I have this project for work - it's a file management system (basically) - created with PHP/mySQL


Anyway, for users uploading files and for deleting files (etc) - how would you all suggest managing files (i assume not using FTP but rather the php native file management function).

Anyway, more importantly in terms of the project - part of the scope of the project is that the files need to be password protected individually.

Any idea on how to do that? I've heard of apache .htaccess way, but I'm not sure php can handle editing them programmatically (.htaccess and/or .htpasswrd files)

Can anyone shed some light on this? Did the boss totally mess up the scope of this project?

 

[Hyperblaze]

you can password protect things very easily using php (don't even need htaccess for it)
9
upload the file using php in a form <form name="fileupload" method="post" enctype="multipart/form-data">.
keep track of all the files names in a database ($_FILES comes in handy) and save files in a particular location (is_file_uploaded, move_file_uploaded come in handy)
when you are going to your "file manager", have all the files on record being displayed in whatever fashion you want.
you could have 'X' or something to choose to delete the files (but have them go to a php file (delete.php?) with a get variable with the primary Id of the file from the table
also have a password field in the table for each file, that you look up and figure out the password
if password is successful use a shell script hidden away to delete the file.

I hope I was able to explain this properly. If you have any questions or like of any ideas, let me know.

edit: you could edit them too, as well as download them, all with different passwords if you really wanted to.

 

[aceO07]

All files must have an individual password? Instead of files being associated as 'belonging' to a user or user group? It seems easier to make the files belong to a user/group instead of each file having a password. Then the associated users could delete the files instead of having to put in a password for each file.

I suppose it all depends on how this application will be used..

 

[ChristianV]

I suggest you to assign each file to a user using a database. Of course, you need a login system for this(session based)
I think you can store the files in a folder which is not accessible by URL, but "send" the file to the user if he wants to download it using php.

 

[NiKeFiDO]

Originally posted by: Hyperblaze
you can password protect things very easily using php (don't even need htaccess for it)
9
upload the file using php in a form <form name="fileupload" method="post" enctype="multipart/form-data">.
keep track of all the files names in a database ($_FILES comes in handy) and save files in a particular location (is_file_uploaded, move_file_uploaded come in handy)
when you are going to your "file manager", have all the files on record being displayed in whatever fashion you want.
you could have 'X' or something to choose to delete the files (but have them go to a php file (delete.php?) with a get variable with the primary Id of the file from the table
also have a password field in the table for each file, that you look up and figure out the password
if password is successful use a shell script hidden away to delete the file.

I hope I was able to explain this properly. If you have any questions or like of any ideas, let me know.

edit: you could edit them too, as well as download them, all with different passwords if you really wanted to.

This does not stop users from pointing directly to them via the URL.
The database use isn't great for scalability in this instance (IMO). And normalizing the db for this use will be a pain.
I am using the codeIgniter framework in this case (it's a life saver) which doesn't use GET (not that that's a huge issue).

Originally posted by: aceO07
All files must have an individual password? Instead of files being associated as 'belonging' to a user or user group? It seems easier to make the files belong to a user/group instead of each file having a password. Then the associated users could delete the files instead of having to put in a password for each file.

I suppose it all depends on how this application will be used..

This is my current solution - I can write to .htaccess and .htpassword and just password protect a directory for each user for their files that they wish to protect

Originally posted by: ChristianV
I suggest you to assign each file to a user using a database. Of course, you need a login system for this(session based)
I think you can store the files in a folder which is not accessible by URL, but "send" the file to the user if he wants to download it using php.

This system is a paid service which will include login systems which make the use of sessions (within the database for added security).
The idea of storing files in inaccessible areas is a good one, I'm not sure how to implement that, however. Do you have any examples of this?


Thanks all for your replies!

 

[tfinch2]

Originally posted by: NiKeFiDO
The idea of storing files in inaccessible areas is a good one, I'm not sure how to implement that, however. Do you have any examples of this?

You basically store the files outside of the www directory, therefore you can't access it by URL. Since your scripts resides on the same server as the the files, with the right permissions they should have access to the entire file system and be able to serve them up to the users.

 

[Hyperblaze]

Originally posted by: NiKeFiDO

Originally posted by: Hyperblaze
you can password protect things very easily using php (don't even need htaccess for it)
9
upload the file using php in a form <form name="fileupload" method="post" enctype="multipart/form-data">.
keep track of all the files names in a database ($_FILES comes in handy) and save files in a particular location (is_file_uploaded, move_file_uploaded come in handy)
when you are going to your "file manager", have all the files on record being displayed in whatever fashion you want.
you could have 'X' or something to choose to delete the files (but have them go to a php file (delete.php?) with a get variable with the primary Id of the file from the table
also have a password field in the table for each file, that you look up and figure out the password
if password is successful use a shell script hidden away to delete the file.

I hope I was able to explain this properly. If you have any questions or like of any ideas, let me know.

edit: you could edit them too, as well as download them, all with different passwords if you really wanted to.

This does not stop users from pointing directly to them via the URL.
The database use isn't great for scalability in this instance (IMO). And normalizing the db for this use will be a PITA.
I am using the codeIgniter framework in this case (it's a life saver) which doesn't use GET (not that that's a huge issue).

You did not strictly specify that in your original specs. (How the hell was I supposed to know?)

Easy fix for it though. Remember that idea with delete? use one for download. Except instead of doing delete, redirect to the file and it will allow users to download the file without ever knowning what the location is (with the password protection you want too)

Keep paths of file in field in the database.

 

[NiKeFiDO]

sry, didn't mean to have a "tone" in my answer.

 

[ChristianV]

Check this out:
http://blog.adaniels.nl/articles/how-i-php-x-sendfile/

I think that should help.
This solution makes use of the Apache module "mod_xsendfile"

 

[jsedlak]

Store the files outside the web directory (or store them in a secure way, for example i store downloads as .aspx files on my server in a completely locked down directory that no one but the server has read access to) and then build the file in memory and pass it along via an http response.

 

[NiKeFiDO]

Originally posted by: tfinch2

Originally posted by: NiKeFiDO
The idea of storing files in inaccessible areas is a good one, I'm not sure how to implement that, however. Do you have any examples of this?

You basically store the files outside of the www directory, therefore you can't access it by URL. Since your scripts resides on the same server as the the files, with the right permissions they should have access to the entire file system and be able to serve them up to the users.

mmm - part of the scope is that I need to be able to have others other than the account holder be able to grab the files when the account holder "sends" it to them - the idea was to have the users be able to send an email that will have a link to the file. Outside of the www folder might therefore not work

There's probably a way around that...

Originally posted by: jsedlak
Store the files outside the web directory (or store them in a secure way, for example i store downloads as .aspx files on my server in a completely locked down directory that no one but the server has read access to) and then build the file in memory and pass it along via an http response.

Im not sure what you mean by "build the file in memory"

 

[ChristianV]

Originally posted by: NiKeFiDO

Originally posted by: tfinch2

Originally posted by: NiKeFiDO
The idea of storing files in inaccessible areas is a good one, I'm not sure how to implement that, however. Do you have any examples of this?

You basically store the files outside of the www directory, therefore you can't access it by URL. Since your scripts resides on the same server as the the files, with the right permissions they should have access to the entire file system and be able to serve them up to the users.

mmm - part of the scope is that I need to be able to have others other than the account holder be able to grab the files when the account holder "sends" it to them - the idea was to have the users be able to send an email that will have a link to the file. Outside of the www folder might therefore not work

There's probably a way around that...

Originally posted by: jsedlak
Store the files outside the web directory (or store them in a secure way, for example i store downloads as .aspx files on my server in a completely locked down directory that no one but the server has read access to) and then build the file in memory and pass it along via an http response.

Im not sure what you mean by "build the file in memory"

First you ask me for an example, but you don't even look at it?
Because if you would have read that article I linked to, you would know that it is possible.

 

[NiKeFiDO]

sorry, i read the article, it's just that I don't understand it all -

I think I was having a brain fart, tho - so the way it would work is this?:

the link that would be sent in these theortical emails would be to a php file that then grabs the appropriate file and uses the headers to allow the user to download them? And this works with files outside of the www directory.

(i really appreciate your help!)

 

[ChristianV]

Ok, this is how I would do it:
A user uploads a file, and the servers stores it outside the www directory, so it's not accessible by a normal url.
Then he "sends" the link to it via email to an other users, whom he want to allow the download. You would have to store in a database, which user can download which files.
In this email, there's a link, which directs to user to your web page. There, the user has to authenticate himself(if he isn't already) and then the script checks, if he/she has the permission to download that file.
If yes, it uses the xfilesend module to send this file to the user.
also, you might want to read this:
http://tn123.ath.cx/mod_xsendfile/

 

[NiKeFiDO]

Check this out, can run CLI commands with php:

http://fr.php.net/manual/en/function.system.php

This is shaping up to a workable solution (although for me, it comes with a learning curve)


edit: ty Christian - im starting to get grasp on it.