tags:

views:

29

answers:

2

Hi all,

In my application, I have a provision for users to upload files like doc, xls, zip, etc. I would like to know how to store these files on my website and have only restricted people access it. I may have a group of people and let only these group access those uploaded files. I know that some may try to just copy the link to the document or the file and pass it to another (non-permitted) user and they can download it. So how can I prevent it? How can I check if the request to download the file was made by a legitimate user who has access to the file? The usernames of the group members are stored in the database along with the document name and location in the database so they can access it. But how do I prevent non-permitted users from being able to access that confidential data in all ways?

With the above in mind, how do I store these documents? Do I store the documents in a blob column in the Database or just just let user upload to a folder and merely store the path to the file in the database? The security of the documents is of utmost importance. So any procedure that could facilitate this feature would definitely help. I am not into Object Oriented programming so if you have a simpler code that you would like to share with me, I would greatly appreciate it.

Also how do I archive documents that are old? Like say there are documents that are 1 year old and I want to conserve my website space by archiving them but still make them available to the user when they need it. How do I go about this?

Thank you.

A: 

Store them as a BLOB in the database. That way you can associate files to user groups and have security restrictions as you would normally do with users-related websites.

Ben
@Ben, same questions to you as well.1.Will I not need special code to make sure that a legitimate user is requesting the file? I mean users can share links with each other. So how can I make a check (via PHP code) to make sure that only a legitimate user is requesting to download the file? 2. How do I archive files and access archived files?
Devner
@Denver - Depends, if one file has only one user then in the files table you must have a foreign key to the users id. If one file has multiple users you must have a files-users relation table, one columns would be a foreign key to the users table and another would be a foreign key to the files table. After that you could do a SELECT to fetch the IDs of the users that can download file X and compare that to the current user id in the PHP SESSION. Now, this works assuming you're using SESSIONS and that users must be logged in to download files.
Ben
@Denver - Google up how to upload/serve BLOBs in Mysql using PHP. Basically you're going to have a 'download.php' in which you get through POST or GET the file id, check if the id in the user SESSION has clearance to download the file and then serve it sending some headers. Sounds complicated but it is not.
Ben
@Ben Thanks for the hints. I will try that out. Any help on archiving, please?
Devner
@Devner: Actually, I don't see the big issues in what you're asking. I'm not trying to be rude or anything, but - RTFM. This isn't the hardest exercise. Try googling ;)
Sune Rasmussen
@Devner: If you upload files manually and you're using phpMyAdmin uploading files is pretty straightforward. In a test DB declare a BLOB and play with it for a while. If you want PHP to upload the file it's similar to uploading files trough a form to the server, but instead of placing it in the folder you save it in the DB. Please refer to Google about this. Once your file is stored in the DB it will be as safe as your admin password. Just remember to check the user id in the users SESSIONS to see if they're allowed to download that file.
Ben
@Ben Thank you. Any hints on archiving?
Devner
A: 

Decided to throw in an answer anyhow ;)

Here's a simple, but I think useful (haven't used it myself, just quickly found it for you) guide to uploading and downloading files to/from databases.

The uploading part of it looks good, but don't use the part of the download section that wants to echo links to the files - I don't think that's what you want. Echo the file contents immediately instead as the tutorial also describes, remembering to set the header.

Sune Rasmussen
@Sune Look like we both landed on the same website while Googling. I was actually trying to implement that procedure. Thanks though.
Devner