On May 25, 2013, at 13:38, Rafnews <[email protected]> wrote:
> Hi,
>
> i'm facing a problem and i don't know where to start and in fact, how to do
> it.
>
> Situation:
> Users of my website should be able to save their resume files + cover letters
> on my webserver.
>
> problem:
> how to make their file SECURED from any hack ? I mean only file owner and web
> administrator (so in this case... myself) should have access to those files.
> never user B should be able to access, read or download files of user A.
>
> my guess:
> i was thinking to store files outside public_html folder, in the following
> way:
>
> /resumes/user A/resume A
> /resumes/user A/cover letter A
>
> /resumes/user B/resume B - US
> /resumes/user B/resume B - ES
> /resumes/user B/cover letter B
>
> Questions:
> 1. how can i allow user to have access to folder/files outside public_html ?
> 2. how can i secure that user A has access to his own files ONLY ?
>
> i searched on internet for some help but i did not find anything really
> revelent...only theory and no really in details.
>
> I need your help.
> thx.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
You will have to make a few scripts that check whether User A is logged in or
not, read the files with PHP, change the default headers and print the output,
which should be the exact same document. A quick example would be:
<?php
// file_exists also checks whether a directory exists
if (!empty($_SESSION['userId']) &&
file_exists(dirname(__FILE__).'/../resumes/'.$_SESSION['userId']) {
// all the necesary headers, check out the documentation for header()
function on php.net
header('(all the needed headers)');
echo
file_get_contents(dirname(__FILE__).'/../resumes/'.$_SESSION['userId'].'/resume
A.doc');
}
Above is basic pseudo-code, not tested. Now all you have to care about is that
userId is correctly set and that nobody can hijack that user account.
Greetings.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
