tags:

views:

111

answers:

3
+1  Q: 

How to protect HTML navigation

Hi!

I am writing software for an elearning platform. Validation is performed via PHP and MySQL. All content is uploaded into a folder protected for all direct access by HTACCESS and content is only served to users via a PHP routine that validates student credentials and then Fopens the file and sends it to the browser.

This is ok for all regular types of content (flash, gif, pdf, etc.), but cannot be used for content uploaded as regular HTML pages and graphics.

Does anyone know what would be a good idea to protect as much as possible this type of content? I thought of placing it in a random named directory, and linking to the content within an iframe to hide the address as much as possible, but is there a better way of doing this?

Thanks!

A: 

One way of solving this problem is to have an intermediary script serving the binary content (based on user privileges) from a protected location.

So a typical file download URL instead of /resources/foo.pdf would be /download.php?foo.pdf

cherouvim  2009-09-15 18:55:58
Yes, I have done that already for regular files, but the problem is when the content itself is composed of HTML pages that have to be served directly.
 2009-09-15 19:05:35
Why would you need to serve them directly? Why not just pass the HTML through the same kind of PHP script you use for other resource types?
timdev  2009-09-15 19:09:17
Would that work, considering links and images within the content? Haven't tried, but just figured it would not...
 2009-09-15 19:17:43
A: 

You could serve non-HTML (or non-text) as cherouvim suggests, and store HTML (all text, really) in a database table. Your download.php script would then have to be smart enough to query the database for .html, etc. files.

The problem then is that any images or other assets would have the wrong URL (e.g. <img src="image.jpg"/> instead of <img src="download.php?image.jpg/>. You'd have to re-write the links to these assets in the saved HTML in the database -- you could probably do this with a combination of an XML interpreter (to pull all the img tags and other tags that link to files) and regular expressions to determine which need to be rewritten (e.g. rewrite src="image.jpg" but not src="http://google.com/image.jpg".

Not the most elegant solution ever, but I think it would work.

Max Masnick  2009-09-15 19:29:58
Yeah, but still a nightmare to parse - imagine frames, embeded SWF, etc. etc.
 2009-09-15 20:03:35
+1  A: 

I may be a bit late on this, but in case somebody else looks for this...Maybe you can put give those files an extra extension, and then tell apache (or whoever) that php will actually be handling those files. For example, you have an 'example.html' file, rename it to 'example.html.answers'. Then when you need to serve the 'name.html' file, you actually pass the 'name.html'.'answers' argument.

zladuric  2009-12-12 19:40:16

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?