[nycphp-talk] protecting download directory in PHP app on Unix box?
John Campbell
jcampbell1 at gmail.com
Wed May 28 16:17:07 EDT 2008
On Wed, May 28, 2008 at 3:24 PM, Steve Manes <smanes at magpie.com> wrote:
> MD5. Here's a function I use in a file_store class to generate a munged
> directory file path given (for instance) a user's unique ID.
>
> public function generate_upload_path($id)
> {
> $hash = md5($id);
> $p1 = substr($hash, 0, 3);
> $p2 = substr($hash, 3, 3);
>
> return $this->attachments_dir . "/$p1/$p2/$id";
> }
What is the point of this? It offers no security -- if one knows the
id, then then they know $p1 and $p2. Why not just put it in a folder
of the id?
If you want to make $p1 and $p2 harder to guess, you will need to do
something like:
$hash = md5(md5("a secret long enough that it can't be rainbowed") . $id);
-John C.
More information about the talk
mailing list