[nycphp-talk] protecting download directory in PHP app on Unix box?
Kristina Anderson
ka at kacomputerconsulting.com
Wed May 28 16:38:20 EDT 2008
John -- as long as
1. The actual filepath is not exposed to the user at any point; and
2. The download is authenticated against their unique Paypal
transaction ID beforehand (certifying payment received); and
3. The directory storing the files is outside the web root in some
secure location --
I think I am fully covered...yes?
-- Kristina
> On Wed, May 28, 2008 at 3:24 PM, Steve Manes <smanes at magpie.com>
wrote:
> > MD5. Here's a function I use in a file_store class to generate a
munged
> > directory file path given (for instance) a user's unique ID.
> >
> > public function generate_upload_path($id)
> > {
> > $hash = md5($id);
> > $p1 = substr($hash, 0, 3);
> > $p2 = substr($hash, 3, 3);
> >
> > return $this->attachments_dir . "/$p1/$p2/$id";
> > }
>
> What is the point of this? It offers no security -- if one knows the
> id, then then they know $p1 and $p2. Why not just put it in a folder
> of the id?
>
> If you want to make $p1 and $p2 harder to guess, you will need to do
> something like:
> $hash = md5(md5("a secret long enough that it can't be rainbowed") .
$id);
>
> -John C.
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
>
More information about the talk
mailing list